segfault when extracting more than 8 fields with <order>

[fpoirotte]

Hi,

I have a machine where the ossec client is running and where I have long logs with lots of information. When trying to extract all that information using a decoder where the tag references more than 8 ossec fields, I get a segfault when the client reaches those logs.

Looking at https://github.com/ossec/ossec-hids/blob/master/src/analysisd/decoders/decode-xml.c#L435, I can see that the number of fields that can be extracted is hard-coded. I guess this was done for historical reasons (the comment above that line suggests that ossec only supported 8 fields at the time, while it now supports a few more fields it seems).

Would it be possible to increase that limit or to remove it completely?

FWIW, I applied the following patch locally against 2.8.1 which seems to fix the issue in my case. I've set the new limit to 32 because I wasn't really sure what the actual limit should be.

--- ossec-hids-2.8.1/src/analysisd/decoders/decode-xml.c        2015-10-26 16:01:43.024114991 +0100
+++ ossec-hids-2.8.1/src/analysisd/decoders/decode-xml.c        2015-10-26 16:04:34.185896701 +0100
@@ -525,14 +525,14 @@
                 char **norder, **s_norder;
                 int order_int = 0;

-                /* Maximum number is 8 for the order */
-                norder = OS_StrBreak(',',elements[j]->content, 8);
+                /* Maximum number is 32 for the order */
+                norder = OS_StrBreak(',',elements[j]->content, 32);
                 s_norder = norder;
-                os_calloc(8, sizeof(void *), pi->order);
+                os_calloc(32, sizeof(void *), pi->order);

                 /* Initializing the function pointers */
-                while(order_int < 8)
+                while(order_int < 32)
                 {
                     pi->order[order_int] = NULL;
                     order_int++;

[fpoirotte]

Any news on this? I can still reproduce this issue with the current code in master.