Here we go - https://github.com/rsyslog/rsyslog/pull/840
On Thu, Mar 3, 2016 at 9:15 AM, Brian Knox <[email protected]> wrote: > > https://github.com/rsyslog/rsyslog/blob/b5649a98107a8e6b7042e103f17bb16e907504f2/plugins/imfile/imfile.c#L686 > > Looks like getBasename should perhaps return a -1 if it doesn't find a > slash - and then we can "do the right thing" based on that. I'll see if I > can sneak in time for a fix today or tomorrow. > > Cheers, > Brian > > On Thu, Mar 3, 2016 at 9:04 AM, Brian Knox <[email protected]> wrote: > >> line 727 in imfile.c : >> >> memcpy(dirn, inst->pszFileName, i); /* do not copy slash */ >> >> >> On Thu, Mar 3, 2016 at 8:53 AM, Brian Knox <[email protected]> >> wrote: >> >>> I've found a buffer overflow in imfile in the master-candidate branch. >>> To reproduce, make an imfile config that uses a relative path rather than >>> absolute to a file: >>> >>> ``` >>> module(load="imfile" PollingInterval="10") >>> >>> input( >>> type="imfile" >>> tag="crash" >>> File="crashme" >>> ) >>> >>> *.* /var/log/syslog >>> ``` >>> >>> This results in: >>> >>> ``` >>> 3146.392981790:main thread : deletestateonfiledelete: (unset) >>> 3146.392987727:main thread : addmetadata: (unset) >>> 3146.392993638:main thread : addceetag: (unset) >>> 3146.392999527:main thread : statefile: (unset) >>> *** buffer overflow detected ***: rsyslogd terminated >>> ======= Backtrace: ========= >>> /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f286982b38f] >>> /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f28698c2c9c] >>> /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f28698c1b60] >>> /usr/local/lib/rsyslog/imfile.so(+0x22cd)[0x7f286919f2cd] >>> /usr/local/lib/rsyslog/imfile.so(+0x254d)[0x7f286919f54d] >>> rsyslogd(inputProcessCnf+0x99)[0x4147a9] >>> rsyslogd(cnfDoObj+0x90)[0x414ba0] >>> rsyslogd(yyparse+0xbae)[0x45435e] >>> rsyslogd(load+0xc35)[0x414145] >>> rsyslogd(initAll+0x5ef)[0x448e2f] >>> rsyslogd(main+0x30)[0x40dfe0] >>> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f28697d9ec5] >>> rsyslogd[0x40e35a] >>> ``` >>> >>> I don't have time to dig into it today but wanted to go ahead and report >>> it. If I correctly use an absolute path to the file (I used a relative by >>> mistake when testing and found this), things work as expected. >>> >>> If I get some time tomorrow to dig into it I will! >>> >>> Cheers, >>> Brian >>> >>> >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
