Rsyslog run into segfault due to processing malform queue message.

[lonicerae]

Hello,

When I was researching a segfault issue of the rsyslog, I found that the a malformed queue message could make the message parser quit with RS_RET_INVALID_DELIMITER. Later the the rsCStrDestruct() would try to free the buffer address in which no allocated string was assigned. The flow looks like this:

 500 /* de-serialize a string, length must be provided but may be 0 */
 501 static rsRetVal objDeserializeStr(cstr_t **ppCStr, int iLen, strm_t *pStrm)
 502 {
 503         DEFiRet;
 504         int i;
 505         uchar c;
 506         cstr_t *pCStr = NULL;
 507 
 508         assert(ppCStr != NULL);
 509         assert(iLen >= 0);
 510 
 511         CHKiRet(cstrConstruct(&pCStr));
 512 
 513         NEXTC;
 514         for(i = 0 ; i < iLen ; ++i) {
 515                 CHKiRet(cstrAppendChar(pCStr, c));
 516                 NEXTC;
 517         }
 518         cstrFinalize(pCStr);
 519 
 520         /* check terminator */
 521         if(c != ':') ABORT_FINALIZE(RS_RET_INVALID_DELIMITER);
 522 
 523         *ppCStr = pCStr; <<<--------- Not allocated.

==>

1304 rsRetVal
1305 MsgDeserialize(smsg_t * const pMsg, strm_t *pStrm)
1306 {
:
1449 finalize_it:
1450         if(pVar != NULL)
1451                 var.Destruct(&pVar);

==>

220 void rsCStrDestruct(cstr_t **const ppThis)
221 {
222         free((*ppThis)->pBuf); <<<--------- Try to free and run into segfault
223         RSFREEOBJ(*ppThis);
224         *ppThis = NULL;
225 }

Perhaps we need to strengthen the destruction functions to cope with the bad queue messages.

Best regards,
Flos

[rgerhards]

thx for the info, much appreciated!

[lonicerae]

Hi @rgerhards , just proposed a fix here:

• Do not free the uninitialized cstring. #5366

Please help to review it. Thank you!