search

rsyslog / liblognorm

a fast samples-based log normalization library
http://www.liblognorm.com
GNU Lesser General Public License v2.1
99 stars 64 forks source link

Null Pointer Dereference in processTags #327

Open gy741 opened 5 years ago

gy741 commented 5 years ago

Hello,

The str variable has a NULL value and can be executed from an if statement. (Normally, the damaged file)

So a segmentation fault occurs.

In my opinion, it seems necessary to reinforce the if statement of the processTags function.

Problem code: https://github.com/rsyslog/liblognorm/blob/1fad7c601cf54782846216c0ade25a377680b0c9/src/v1_samp.c#L520-L542

For patch code example:

+ if(buf[i] == ',' && str != NULL) {

PoC code:

karas@sec:~/liblognorm/src$ cat poc
rule=,

gdb backtrace:

karas@sec:~/liblognorm/src$ gdb ./lognormalizer 
Starting program: /home/karas/liblognorm/src/lognormalizer -r c

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79c73de in es_str2cstr () from /usr/lib/libestr.so.0
(gdb) bt full
#0  0x00007ffff79c73de in es_str2cstr () from /usr/lib/libestr.so.0
No symbol table info available.
#1  0x000055555556e40c in addTagStrToBucket (ctx=0x555555782260, tagname=0x0, 
    tagBucket=0x7fffffffb600) at v1_samp.c:497
        r = -1
        cstr = 0x5b0000006e <error: Cannot access memory at address 0x5b0000006e>
        tag = 0x0
#2  0x000055555556e50f in processTags (ctx=0x555555782260, buf=0x7fffffffb6c0 "rule=,", 
    lenBuf=6, poffs=0x7fffffffb5d8, tagBucket=0x7fffffffb600) at v1_samp.c:532
        r = -1
        str = 0x0
        i = 5
        __PRETTY_FUNCTION__ = "processTags"
#3  0x000055555556e69f in processRule (ctx=0x555555782260, buf=0x7fffffffb6c0 "rule=,", 
    lenBuf=6, offs=5) at v1_samp.c:577
        r = -1
        str = 0x7fffffffb6c0
        tagBucket = 0x555555783e60
#4  0x000055555556edea in ln_v1_processSamp (ctx=0x555555782260, 
    buf=0x7fffffffb6c0 "rule=,", lenBuf=6) at v1_samp.c:773
        samp = 0x0
        typeStr = 0x555555783e40
        offs = 5
#5  0x000055555556f0e1 in ln_v1_sampRead (ctx=0x555555782260, repo=0x555555782380, 
    isEof=0x7fffffffdef8) at v1_samp.c:837
        samp = 0x0
        buf = "rule=,", '\000' <repeats 1946 times>...
        i = 6
        inParser = 0
        done = 1
#6  0x000055555556a64c in ln_v1_loadSamples (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at v1_liblognorm.c:94
        r = 0
        repo = 0x555555782380
        samp = 0x0
        isEof = 0
        fn_to_free = 0x555555782e10 "c"
#7  0x000055555555f161 in doOldCruft (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at samp.c:1082
        r = -1
#8  0x000055555555f47d in ln_sampLoad (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at samp.c:1152
        r = 1
        repo = 0x555555782380
        isEof = 0
        version = 1
#9  0x00005555555581c3 in ln_loadSamples (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at liblognorm.c:167
        r = 0
        tofree = 0x555555782360 "c"
#10 0x0000555555557d0d in main (argc=3, argv=0x7fffffffe108) at lognormalizer.c:493
        opt = -1
        repository = 0x7fffffffe440 "c"
        usedRB = 1
        ret = 0
        fpStats = 0x0
        fpStatsDOT = 0x0
        extendedStats = 0

Thanks.