Segfault parsing an alternate field

rsyslog / liblognorm

a fast samples-based log normalization library

http://www.liblognorm.com

GNU Lesser General Public License v2.1

99 stars 64 forks source link

Segfault parsing an alternate field #220

Closed mostolog closed 8 years ago

mostolog commented 8 years ago

Hi Trying to parse an apache access message:

echo "1.2.3.4 - - [23/Sep/2016:11:12:50 +0200] \"GET /app/img/oldlogo.png HTTP/1.1\" 304 -" | /usr/lib/lognorm/lognormalizer -r /rule.rb

rule.rb

version=2
# Trying to parse APACHE ACCESS
rule=:%host:ipv4% %{"type":"alternative","parser":[{"type":"literal","text":"-"},{"type":"word","name":"identd"}]}% %r:rest%

I'm getting: Segmentation fault (core dumped)

Ubuntu 16.04 running rsyslogd 8.22.0, compiled with: PLATFORM: x86_64-pc-linux-gnu PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: No FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes memory allocator: system default Runtime Instrumentation (slow code): No uuid support: Yes Number of Bits in RainerScript integers: 64

mostolog commented 8 years ago

rule=:%[
    {"type":"ipv4", "name":"ip"},
    {"type":"literal", "text:" "},
    {"type":"literal", "text:"-"},
    {"type":"rest", "name":"r"}
]%

Neither works.

mostolog commented 8 years ago

Possible duplicate of #153

rgerhards commented 8 years ago

I can reproduce this.

rgerhards commented 8 years ago

This is related to the literal not having a name. So a work-around is to assign a name to it.

mostolog commented 8 years ago

You mean {"type":"literal", "text":"", "name":"whatever"},? Can names be repeated or must be unique?

rgerhards commented 8 years ago

2016-10-17 12:01 GMT+02:00 mostolog notifications@github.com:

You mean {"type":"literal", "text":"", "name":"whatever"},?

Yes

I think duplicate names are not checked, but than it is undefined which value persists (probably not of interest here).

rgerhards commented 8 years ago

It looks like the problem is that we try to compact a literal parser with multiple refcount. This cannot be done as obviously multiple path lead to that parser. Seems like that predicate was not checked.

mostolog commented 8 years ago

Thanks for fixing. Should I test or can I wait to v8.23 ?

rgerhards commented 8 years ago

Testing would be appreciated. I plan to release liblognorm 2.0.2 shortly.

Rainer

2016-10-17 17:52 GMT+02:00 mostolog notifications@github.com:

Thanks for fixing. Should I test or can I wait to v8.23 ?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/rsyslog/liblognorm/issues/220#issuecomment-254248703, or mute the thread https://github.com/notifications/unsubscribe-auth/ABadi-nKkSg7s5K23lO9Cf4-YgdsZd5Cks5q05nYgaJpZM4KOvpC .