Bug 152710 - syslogd memory allocation error
syslogd memory allocation error
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://bugzilla.redhat.com/bugzilla/...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-30 22:31 EDT by Rok Papez
Modified: 2014-01-21 17:51 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:01:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:24:49 EST
During a code review it was discovered that syslogd does not allocate
enough memory to store all its pointers in the crunch list. The
problem code around line 1266 is this:

if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL)

There should be parenthesis around the count+2 since multiplication
otherwise takes place first. Without it, the array os not big enough
and unexpected results (or core dump) may follow.



------- Additional Comments From rok.papez@lugos.si 2004-04-30 22:32:59 ----

This *seems* to be a fix:
diff -ur sysklogd-1.4.1rh.orig/syslogd.c sysklogd-1.4.1rh/syslogd.c
--- sysklogd-1.4.1rh.orig/syslogd.c	2001-08-15 13:16:05.000000000 -0400
+++ sysklogd-1.4.1rh/syslogd.c	2004-04-08 17:09:42.000000000 -0400
@@ -1266,12 +1266,10 @@
 	
 	/* strip off trailing delimiters */
 	while (p[strlen(p)-1] == LIST_DELIMITER) {
-		count--;
 		p[strlen(p)-1] = '\0';
 	}
 	/* cut off leading delimiters */
 	while (p[0] == LIST_DELIMITER) {
-		count--;
 		p++; 
 	}
 	
@@ -1279,7 +1277,7 @@
 	for (count=i=0; p[i]; i++)
 		if (p[i] == LIST_DELIMITER) count++;
 	
-	if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL) {
+	if ((result = (char **)malloc(sizeof(char *) * (count+2))) == NULL) {
 		printf ("Sorry, can't get enough memory, exiting.\n");
 		exit(0);
 	}




------- Additional Comments From skvidal@phy.duke.edu 2004-04-30 22:39:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
packages for rhl 7.3(probably 7.x) and rhl9 for sysklod
crunchlist memory overrun
448d22dcd867142e71f88892ef883af5  ./9/sysklogd-1.4.1-13.legacy.9.i386.rpm
f533cfac620ab26620f6f2077c4cc3a9  ./9/sysklogd-debuginfo-1.4.1-13.legacy.9.i386.rpm
a1b6863d5c653b797c446fa4194d27af  ./9/sysklogd-1.4.1-13.legacy.9.src.rpm
2c86305eb39cd37cb85c6172bb25d5b8  ./7x/sysklogd-1.4.1-9.legacy.7x.src.rpm
9d98616b7dcb25a20b3453b8f7973ebf  ./7x/sysklogd-1.4.1-9.legacy.7x.i386.rpm
 
available at:
http://linux.duke.edu/~skvidal/RPMS/legacy/sysklogd/
tested on 7.3 and 9 - works fine
trivial patch applied from RHL bug report against FC2
please QA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAk2HD1Aj3x2mIbMcRAlQuAKCk96RJPCtAL+XovHaPKjAOc18c6gCeLU5+
Fi1o+TiyjFffNnNoaB/ahkQ=
=7KK8
-----END PGP SIGNATURE-----




------- Additional Comments From rok.papez@lugos.si 2004-05-01 00:01:12 ----

QA testing report:
==============
1. SRPMS inspection: only a code patch was added, source files are owned by 
user "skvidal", no other changes
2. Code inspection: PASS
3. SRPMS rebuild: PASS
3. RPM Upgrade: PASS
4. Functionality test: PASS




------- Additional Comments From bugs.michael@gmx.net 2004-05-01 02:45:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1
2b9a5c02fc572104206bb3c372416dc18105cbfb  sysklogd-1.4.1-9.legacy.7x.src.rpm

MD5
2c86305eb39cd37cb85c6172bb25d5b8  sysklogd-1.4.1-9.legacy.7x.src.rpm

* src.rpm is not signed
* sources have not changed
* patch makes sense
* binary build compared with 1.4.1-8 (rh73)

++PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAk5uU0iMVcrivHFQRAoQ+AJ0UER+TQRvUQlrgNliRFulKmNQbHACfXia0
s7sAepJ5wr8VG5pStVvMAK8=
=AsqS
-----END PGP SIGNATURE-----




------- Additional Comments From notting@redhat.com 2004-05-01 16:35:38 ----

AFAIK, crunch_list is only called from the commandline, so ti's not an
exploitable security issue (although it is a bug.)

The attached may be more complete, FWIW.



------- Additional Comments From notting@redhat.com 2004-05-01 16:36:09 ----

Created an attachment (id=646)
more involved patch... from Owl




------- Additional Comments From rok.papez@lugos.si 2004-05-02 00:21:49 ----

I've prepared new rpms with OWL patches: http://rok.iprom.si/~rok/fedora_legacy/
5eb98741f9f38a0c870c5a9d8b5eb780  sysklogd-1.4.1-14.legacy.9.i386.rpm
32ec7a2f2d858e37f6232f01cdc0cfff  sysklogd-1.4.1-14.legacy.9.src.rpm

I did a CI and owl patch seems fine/better.



------- Additional Comments From jonny.strom@netikka.fi 2004-05-02 00:38:05 ----

I tested the rpm's from http://rok.iprom.si/~rok/fedora_legacy/ with the 
more complete owl patch, and syslog is working as expected.



------- Additional Comments From bugs.michael@gmx.net 2004-05-02 02:23:12 ----

In reply to comment 6, the patch cleans up the code a bit, but doesn't add more
safety. 

E.g. the "while (*p &&" near the top. p is never zero, because getopt requires
an argument. If it were possible for p to be zero, the p[0] in the next while
statement [and beyond] would be disastrous.

The exit(0) -> exit(1) change is nice, but paranoid.




------- Additional Comments From jonny.strom@netikka.fi 2004-05-02 06:38:52 ----

An uppdate for Redhat 7.3 is avalible that includes the more complete owl patch:

The uppdate can be downloaded from here:


http://av8.netikka.fi/~johnny/fedora_legacy/rh73/

http://213.250.83.8/~johnny/fedora_legacy/rh73/sysklogd-1.4.1-9.legacy.i386.rpm
e9a52bf14f0ef005ac614789f2fe36f6

http://213.250.83.8/~johnny/fedora_legacy/rh73/sysklogd-1.4.1-9.legacy.src.rpm
aaec8729b03768ee2f4696f06fcddc8a

http://213.250.83.8/~johnny/fedora_legacy/rh73/sysklogd-crunchlist-owl.patch
6c093547189ee28fae019710e53c4aee

Basic testing was done and sysklogd is working as expected.



------- Additional Comments From villegas@math.gatech.edu 2004-05-05 04:25:17 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 
I QA'ed the package referred in comment 5 (R: 14.legacy.9): 
 
1. Sources are same as on RH9 release. 
2. Spec is clean (safe) and based on the RH9 one. 
        builds clean 
3. Installs (upgrades) clean, works as expected. 
 
I vote for publish. 
 
Carlos 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.1 (GNU/Linux) 
 
iD8DBQFAmPjjnACJnHU2u1ERAjYmAKCHteWHAaeuTYiOqT5/ltQmzBdbSACdEYNP 
lt5ZT94jqLuLbKmaetSotNc= 
=Q0iQ 
-----END PGP SIGNATURE----- 
 



------- Additional Comments From bugs.michael@gmx.net 2004-05-05 04:32:37 ----

There is no package in comment 5. And since there are two different packages for
rh9, please include URL and MD5 checksum of the package you refer to.




------- Additional Comments From bugs.michael@gmx.net 2004-05-05 04:33:32 ----

Carlos, adding you to Cc since previous comment was addressed to you.




------- Additional Comments From villegas@math.gatech.edu 2004-05-05 04:39:48 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 
Sorry about that, I meant comment 7..., the MD5 is: 
 
32ec7a2f2d858e37f6232f01cdc0cfff  sysklogd-1.4.1-14.legacy.9.src.rpm 
 
From: http://rok.iprom.si/~rok/fedora_legacy/ 
 
Also by Jessee's request yesterday on the mailing list, I'm adding sha1: 
 
4eee546bbbe5a2b27bd17ad2f24515480de3b284  sysklogd-1.4.1-14.legacy.9.src.rpm 
 
Carlos 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.1 (GNU/Linux) 
 
iD8DBQFAmPyKnACJnHU2u1ERAhMsAJ4rxqp5A8014K2vtCetA97RlmGBkgCeOkM3 
oeaeOfyW7zdb4lcuwLzmJG4= 
=1W6o 
-----END PGP SIGNATURE----- 
 



------- Additional Comments From bugs.michael@gmx.net 2004-05-05 07:22:09 ----

Two publish votes for rh9 package.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1
4eee546bbbe5a2b27bd17ad2f24515480de3b284  sysklogd-1.4.1-14.legacy.9.src.rpm

* src.rpm is signed
* sources have not changed
* patch is the same than linked by Bill Nottingham
* proof-read patch (I was wrong about the *p check in comment 9)

++PUBLISH

* %release should _not_ be higher than 13, because 1.4.1-13 is the
  sysklogd package from Fedora Core 1.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAmSJ30iMVcrivHFQRArLCAJ9xOLr06jO/6WMA1X8mxVSydaY7DQCfQz0q
s76BGJaRmsGiSWFl4MsolW0=
=YrGy
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael@gmx.net 2004-05-05 08:58:16 ----

Btw, the package difference between rh73 and rh9 is that the tarball in the rh73
package strip-installs the binaries. This was dropped in new releases. So, the
legacy update at

  http://rok.iprom.si/~rok/fedora_legacy/sysklogd-1.4.1-14.legacy.9.src.rpm

can be used for rh73, rh80 and rh9. The tarball in the rh72 package is a much
older one.



------- Additional Comments From jkeating@j2solutions.net 2004-05-06 19:37:45 ----

strange, the tarball in 7.2 is older?  They all have the same 1.4.1 base
release, which would assume the same tarball, is this not true?



------- Additional Comments From skvidal@phy.duke.edu 2004-05-06 19:39:46 ----

md5sum it - I'm pretty sure it changes a bit as it goes on

it's rh's on tree of syslogd




------- Additional Comments From bugs.michael@gmx.net 2004-05-07 01:57:43 ----

The console log level was changed between rh72 and rh73, for instance. Also see
./redhat/ChangeLog in the tarball.



------- Additional Comments From jkeating@j2solutions.net 2004-06-16 16:17:15 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/

3f8e285b96ae0edac5e13ac79ac399370273aabf
7.3/updates-testing/SRPMS/sysklogd-1.4.1-14.legacy.7x.src.rpm
f0f67bd5db849a382f6535363b6233f8e72a45c5
7.3/updates-testing/i386/sysklogd-1.4.1-14.legacy.7x.i386.rpm

ed1462e72e4ab23e7bb3ec270a4df7fa3216dd5e
9/updates-testing/SRPMS/sysklogd-1.4.1-14.legacy.9.src.rpm
9a5972d1b3485c875b8f57b7b277341a74958d4b
9/updates-testing/i386/sysklogd-1.4.1-14.legacy.9.i386.rpm



------- Additional Comments From rmy@tigress.co.uk 2004-06-18 00:00:51 ----

-----BEGIN PGP SIGNED MESSAGE-----

I've installed the rh7x RPM on four machines.  All of them are working
happily.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBQNK9Mh2/joqPEUdFAQHiiAP+N7c7S8u+oaUZiSXeL47zVIbu5JdkqS3j
bCCWCj8ShHs4tp0nFP0ngE0fpzz/tv8V9qn+s7cVgjQuSQFnYxblE19ED5VyS4jy
serCvIk3d1v75cciHAOBq6y559oPzcXvodBbWbcmJdJDHD5HW3zh154Zt9RWdhM/
fgBvbHpbycg=
=acpt
-----END PGP SIGNATURE-----



------- Additional Comments From villegas@math.gatech.edu 2004-06-18 04:31:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I've been using sysklogd-1.4.1-14.legacy.9 on a couple of RH9
boxes since it was released to updates-testing, everything
is working as expected.

Carlos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFA0vyinACJnHU2u1ERAhArAKCKid/CZ95v8AHnMrSWW+dDyiOoVgCgwDD4
8FPYJe+tZ51y5UVuZzoLabc=
=2tBB
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-06-21 06:46:31 ----

1.4.1-14.legacy.7x installs and runs fine on rh7.3.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 -------

This bug previously known as bug 1553 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1553
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
more involved patch... from Owl
https://bugzilla.fedora.us/attachment.cgi?action=view&id=646

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.