SIGSEGV bug in sagan
6 views
Skip to first unread message
Marcos Lois Bermúdez
Aug 22, 2013, 3:44:49 AM8/22/13
to saga...@googlegroups.com
Hi,
I never used sagan in the past, now i'm planning to use it to parse logs and get some alerts, after compile the 0.3.0 version i get strange SIGSEGV, i also try with lastest Git versión, and the problem remanins, after executing it with gdb and strace i figure the problem is in sagan (sagan.c), it tries to open the FIFO, but don't check it in fclose(), this is the strace:
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
write(3, "[*] [08/21/2013 15:40:59] - \n", 29) = 29
write(1, "[*] \n", 5[*]
) = 5
time(NULL) = 1377092459
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
write(3, "[*] [08/21/2013 15:40:59] - Atte"..., 78) = 78
write(1, "[*] Attempting to open syslog FI"..., 54[*] Attempting to open syslog FIFO (/tmp/sagan.fifo).
) = 54
open("/tmp/sagan.fifo", O_RDONLY) = -1 EACCES (Permission denied)
time(NULL) = 1377092459
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
write(3, "[*] [08/21/2013 15:40:59] - Succ"..., 72) = 72
write(1, "[*] Successfully opened FIFO (/t"..., 48[*] Successfully opened FIFO (/tmp/sagan.fifo).
) = 48
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
Open the FIFO gets EACCES, but Sagan display in logs: Successfully opened FIFO (/tmp/sagan.fifo)
After this the entire while(fd != NULL) { is skiped, and a call to fclose(NULL) produce a SIGSEGV.
A simple if arround fclose solves the problem, but intriduce the posibility that if the file isn't accesible a infinite loop atempting to open the file will eat a lot of resources.
FILE *fd;
fd = fopen(config->sagan_fifo, "r");
if ( config->sagan_fifo_flag == 0 ) {
Sagan_Log(0, "Successfully opened FIFO (%s).", config->sagan_fifo);
} else {
Sagan_Log(0, "Successfully opened FILE (%s) and processing events.....", config->sagan_fifo);
}
while(fd != NULL) {
...
sleep(1); /* So we don't eat 100% CPU */
} /* while(fd != NULL) */
fclose(fd); /* ???? */
} /* End of while(1) */
When i get some free time, I'll review the code with some time and send a patch if nobody solved this, a off-topic question,
I see that the code identation is something strange, my first read of the code, is some comfusing for me.
Is there any coding standard to contribute code to the project?
Really good software and a very good work.
Regards.
I never used sagan in the past, now i'm planning to use it to parse logs and get some alerts, after compile the 0.3.0 version i get strange SIGSEGV, i also try with lastest Git versión, and the problem remanins, after executing it with gdb and strace i figure the problem is in sagan (sagan.c), it tries to open the FIFO, but don't check it in fclose(), this is the strace:
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
write(3, "[*] [08/21/2013 15:40:59] - \n", 29) = 29
write(1, "[*] \n", 5[*]
) = 5
time(NULL) = 1377092459
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
write(3, "[*] [08/21/2013 15:40:59] - Atte"..., 78) = 78
write(1, "[*] Attempting to open syslog FI"..., 54[*] Attempting to open syslog FIFO (/tmp/sagan.fifo).
) = 54
open("/tmp/sagan.fifo", O_RDONLY) = -1 EACCES (Permission denied)
time(NULL) = 1377092459
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
write(3, "[*] [08/21/2013 15:40:59] - Succ"..., 72) = 72
write(1, "[*] Successfully opened FIFO (/t"..., 48[*] Successfully opened FIFO (/tmp/sagan.fifo).
) = 48
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
Open the FIFO gets EACCES, but Sagan display in logs: Successfully opened FIFO (/tmp/sagan.fifo)
After this the entire while(fd != NULL) { is skiped, and a call to fclose(NULL) produce a SIGSEGV.
A simple if arround fclose solves the problem, but intriduce the posibility that if the file isn't accesible a infinite loop atempting to open the file will eat a lot of resources.
FILE *fd;
fd = fopen(config->sagan_fifo, "r");
if ( config->sagan_fifo_flag == 0 ) {
Sagan_Log(0, "Successfully opened FIFO (%s).", config->sagan_fifo);
} else {
Sagan_Log(0, "Successfully opened FILE (%s) and processing events.....", config->sagan_fifo);
}
while(fd != NULL) {
...
sleep(1); /* So we don't eat 100% CPU */
} /* while(fd != NULL) */
fclose(fd); /* ???? */
} /* End of while(1) */
When i get some free time, I'll review the code with some time and send a patch if nobody solved this, a off-topic question,
I see that the code identation is something strange, my first read of the code, is some comfusing for me.
Is there any coding standard to contribute code to the project?
Really good software and a very good work.
Regards.
Champ Clark III
Aug 22, 2013, 10:22:34 AM8/22/13
to saga...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There was a reason for the lack for "if" around the open() call, but I can't recall what it was. I'll have to look deeper into it.
One thing I did notice in the strace was the below:
On 08/22/2013 03:44 AM, Marcos Lois Bermúdez wrote:
> open("/tmp/sagan.fifo", O_RDONLY) = -1 EACCES (Permission denied)
Ideally, it should error out. I see what you mean about the
while(fd != NULL) then skipping to the fclose(). Obviously,
Sagan can't (shouldn't!) fclose a un-openned FIFO! I'll have to look at fixing that.
Sagan can't (shouldn't!) fclose a un-openned FIFO! I'll have to look at fixing that.
"I see that the code identation is something strange, my first read of the code, is some comfusing for me.
Is there any coding standard to contribute code to the project?"
No, and there really should be. I would absolutely love to make
the code more "static" in appears and
follow some guidelines. It's to easy to get sloppy and it's something I certainly need to work on.
If you have any suggestions, let me know.
- --
- - Quadrant Information Security
Champ Clark III
o: 800.538.9357 x 101
c: 850.443.2440
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSFh6qAAoJENnmXt7Lmc3K5XAIAIGokg774UZTU7icSIWt5mzA
hcGVkhKD/V4LUE5QGZmJyel6wPMZH14KW+l2Y89dv01xil7jw32bLQEmuXGW38DD
S+qyuU3bm/V/+q/ALALqQ3D+XDFEvfc5qVS2w5bbi2QZIYIcTU+OvzefBV8x24+i
E18pH+THMKqIFJ9HXMEImnfjB6ErxudhEQrU0eFEsH0QoHWn75lZ1FbPoWKJOiez
RGru2iHDqkfTXcHxk0rWcKLr3rHA/pXrjyrVH4zxFUz22pMgdykHYOzqm7oL4wQw
7vPZMc0UmkLNkb2URcEaV0BIG0qxTqGEQHsRueldVpHC153jznxcJYXKCwyeBTw=
=u2Rb
-----END PGP SIGNATURE-----
follow some guidelines. It's to easy to get sloppy and it's something I certainly need to work on.
If you have any suggestions, let me know.
- --
- - Quadrant Information Security
Champ Clark III
o: 800.538.9357 x 101
c: 850.443.2440
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSFh6qAAoJENnmXt7Lmc3K5XAIAIGokg774UZTU7icSIWt5mzA
hcGVkhKD/V4LUE5QGZmJyel6wPMZH14KW+l2Y89dv01xil7jw32bLQEmuXGW38DD
S+qyuU3bm/V/+q/ALALqQ3D+XDFEvfc5qVS2w5bbi2QZIYIcTU+OvzefBV8x24+i
E18pH+THMKqIFJ9HXMEImnfjB6ErxudhEQrU0eFEsH0QoHWn75lZ1FbPoWKJOiez
RGru2iHDqkfTXcHxk0rWcKLr3rHA/pXrjyrVH4zxFUz22pMgdykHYOzqm7oL4wQw
7vPZMc0UmkLNkb2URcEaV0BIG0qxTqGEQHsRueldVpHC153jznxcJYXKCwyeBTw=
=u2Rb
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages