[patch] syslogd: expand duplicate message supression
Chris Craig
chris at microtronix.com
Tue Apr 14 20:02:55 UTC 2009
Denys Vlasenko wrote:
> Hi Chris,
>
> Sorry for coming back with horrible delay.
No problem, this is certainly not a critical issue.
> IIUC current code will print one message *per second* if buggy program
> is flooding syslogd -D with identical message. This makes admin aware
> that something weird is going on, without overflowing the log
> *quickly*.
Well the existing code does this because the granularity of ctime is 1
second.
> With this patch, it will be not obvious that "buggy program" is running.
> Even though it floods the syslog, the messages aren't printed
> until some other program intervenes with different message,
> in other words, maybe for a long time.
I've attached a revised patch that includes a config option to specify
the maximum number of dropped messages - this should alleviate this concern.
> You assume syslog clients send lines with (strictly two-digit) <NN> prio
> and timestamps. You can't make such an assumtion. For all we know,
> sz may be *less than 19*, sz - 19 overflows,
> and you have a remotely exploitable attack on the syslog -
> memcmp will happily go and "compare" many gigabytes of memory,
> perhaps getting killed by SIGSEGV.
Revised patch also checks for a timestamp signature (pretty much the
same as is done in timestamp_and_log).
--
Chris Craig
Microtronix Datacom Ltd.
9-1510 Woodcock Street
London ON N6H 5S1
Canada
Toll-Free: (888) 690-0091 x253 (NA only)
Phone: (519) 690-0091 x253
http://microtronix.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: syslogd_dup_2.patch
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20090414/43267c51/attachment.diff>
More information about the busybox
mailing list