diff --git a/backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch b/backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch new file mode 100644 index 0000000000000000000000000000000000000000..0db05946e815bee24ea996474fc21af88328fd75 --- /dev/null +++ b/backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch @@ -0,0 +1,54 @@ +From e7ad250f51bba571c9861c4ab7df2df135be9ea3 Mon Sep 17 00:00:00 2001 +From: Andre lorbach +Date: Thu, 11 May 2023 16:49:11 +0200 +Subject: [PATCH] [backport] GNUTls Driver: Fix memory leaks in gtlsInitCred + +Missing CA Certificate or multiple Connections caused +a memory leak in pThis->xcred as it was allocated each time in +gtlsInitCred by gnutls_certificate_allocate_credentials + +closes: https://github.com/rsyslog/rsyslog/issues/5135 + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/3401d687d2d5f9556165b53be79fbe4dc49b8c79 + +--- +--- + runtime/nsd_gtls.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index bbda5c5bc..da549d728 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -711,7 +711,10 @@ gtlsInitCred(nsd_gtls_t *const pThis ) + DEFiRet; + + /* X509 stuff */ +- CHKgnutls(gnutls_certificate_allocate_credentials(&pThis->xcred)); ++ if (pThis->xcred == NULL) { ++ /* Allocate only ONCE */ ++ CHKgnutls(gnutls_certificate_allocate_credentials(&pThis->xcred)); ++ } + + /* sets the trusted cas file */ + cafile = (pThis->pszCAFile == NULL) ? glbl.GetDfltNetstrmDrvrCAF() : pThis->pszCAFile; +@@ -2264,7 +2267,12 @@ finalize_it: + if(pThis->bHaveSess) { + gnutls_deinit(pThis->sess); + pThis->bHaveSess = 0; ++ /* Free memory using gnutls api first*/ ++ gnutls_certificate_free_credentials(pThis->xcred); + pThis->xcred = NULL; ++ /* Free other memory */ ++ free(pThis->pszConnectHost); ++ pThis->pszConnectHost = NULL; + } + } + +-- +2.12.3 + diff --git a/backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch b/backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch new file mode 100644 index 0000000000000000000000000000000000000000..7801e3c630ac171035c82b2708750a9141cf42b7 --- /dev/null +++ b/backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch @@ -0,0 +1,126 @@ +From bd5933ce7617238b143a54709f582d2e2abbdd5f Mon Sep 17 00:00:00 2001 +From: frikilax +Date: Tue, 19 Apr 2022 09:56:06 +0200 +Subject: [PATCH] [backport] MMDBLOOKUP::FIXED:: Don't crash Rsyslog on mmdb + file errors + +--- + +Conflict:NA +Reference:https://github.com/rsyslog/rsyslog/commit/0869d725f297f50830ae4a026902d6aa35d8f8bd + +--- +--- + plugins/mmdblookup/mmdblookup.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git a/plugins/mmdblookup/mmdblookup.c b/plugins/mmdblookup/mmdblookup.c +index 3fe5172a9..85536f2cf 100644 +--- a/plugins/mmdblookup/mmdblookup.c ++++ b/plugins/mmdblookup/mmdblookup.c +@@ -68,6 +68,7 @@ typedef struct wrkrInstanceData { + instanceData *pData; + MMDB_s mmdb; + pthread_mutex_t mmdbMutex; ++ sbool mmdb_is_open; + } wrkrInstanceData_t; + + struct modConfData_s { +@@ -122,15 +123,30 @@ int open_mmdb(const char *file, MMDB_s *mmdb) { + dbgprintf(" IO error: %s\n", strerror(errno)); + } + LogError(0, RS_RET_SUSPENDED, "maxminddb error: cannot open database file"); ++ return RS_RET_SUSPENDED; + } + +- return MMDB_SUCCESS != status; ++ return RS_RET_OK; + } + + void close_mmdb(MMDB_s *mmdb) { + MMDB_close(mmdb); + } + ++static rsRetVal wrkr_reopen_mmdb(wrkrInstanceData_t *pWrkrData) { ++ DEFiRet; ++ pthread_mutex_lock(&pWrkrData->mmdbMutex); ++ LogMsg(0, NO_ERRCODE, LOG_INFO, "mmdblookup: reopening MMDB file"); ++ if (pWrkrData->mmdb_is_open) close_mmdb(&pWrkrData->mmdb); ++ pWrkrData->mmdb_is_open = 0; ++ CHKiRet(open_mmdb(pWrkrData->pData->pszMmdbFile, &pWrkrData->mmdb)); ++ pWrkrData->mmdb_is_open = 1; ++ ++finalize_it: ++ pthread_mutex_unlock(&pWrkrData->mmdbMutex); ++ RETiRet; ++} ++ + BEGINbeginCnfLoad + CODESTARTbeginCnfLoad + loadModConf = pModConf; +@@ -163,6 +179,7 @@ ENDcreateInstance + BEGINcreateWrkrInstance + CODESTARTcreateWrkrInstance + CHKiRet(open_mmdb(pData->pszMmdbFile, &pWrkrData->mmdb)); ++ pWrkrData->mmdb_is_open = 1; + CHKiConcCtrl(pthread_mutex_init(&pWrkrData->mmdbMutex, NULL)); + finalize_it: + ENDcreateWrkrInstance +@@ -190,7 +207,8 @@ ENDfreeInstance + + BEGINfreeWrkrInstance + CODESTARTfreeWrkrInstance +- close_mmdb(&pWrkrData->mmdb); ++ if (pWrkrData->mmdb_is_open) close_mmdb(&pWrkrData->mmdb); ++ pWrkrData->mmdb_is_open = 0; + pthread_mutex_destroy(&pWrkrData->mmdbMutex); + ENDfreeWrkrInstance + +@@ -312,6 +330,7 @@ ENDdbgPrintInstInfo + + BEGINtryResume + CODESTARTtryResume ++ iRet = wrkr_reopen_mmdb(pWrkrData); + ENDtryResume + + +@@ -356,6 +375,11 @@ BEGINdoAction_NoStrings + json_object *total_json = NULL; + MMDB_entry_data_list_s *entry_data_list = NULL; + CODESTARTdoAction ++ /* ensure file is open before beginning */ ++ if (!pWrkrData->mmdb_is_open) { ++ CHKiRet(wrkr_reopen_mmdb(pWrkrData)); ++ } ++ + /* key is given, so get the property json */ + msgPropDescr_t pProp; + msgPropDescrFill(&pProp, (uchar*)pData->pszKey, strlen(pData->pszKey)); +@@ -382,7 +406,9 @@ CODESTARTdoAction + } + if (MMDB_SUCCESS != mmdb_err) { + dbgprintf("Got an error from the maxminddb library: %s\n", MMDB_strerror(mmdb_err)); +- ABORT_FINALIZE(RS_RET_OK); ++ close_mmdb(&pWrkrData->mmdb); ++ pWrkrData->mmdb_is_open = 0; ++ ABORT_FINALIZE(RS_RET_IO_ERROR); + } + if (!result.found_entry) { + dbgprintf("No entry found in database for '%s'\n", pszValue); +@@ -450,12 +476,7 @@ BEGINdoHUPWrkr + CODESTARTdoHUPWrkr + dbgprintf("mmdblookup: HUP received\n"); + if (pWrkrData->pData->reloadOnHup) { +- // a mutex is needed, as it's the main thread that runs this handler +- pthread_mutex_lock(&pWrkrData->mmdbMutex); +- LogMsg(0, NO_ERRCODE, LOG_INFO, "mmdblookup: reloading MMDB file"); +- close_mmdb(&pWrkrData->mmdb); +- iRet = open_mmdb(pWrkrData->pData->pszMmdbFile, &pWrkrData->mmdb); +- pthread_mutex_unlock(&pWrkrData->mmdbMutex); ++ iRet = wrkr_reopen_mmdb(pWrkrData); + } + ENDdoHUPWrkr + +-- +2.12.3 + diff --git a/backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch b/backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch new file mode 100644 index 0000000000000000000000000000000000000000..2dc8a38fa23ff1ceb83239aa8cad55f68314c934 --- /dev/null +++ b/backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch @@ -0,0 +1,120 @@ +From 4fe3152b51884916861303573294be3d797f3998 Mon Sep 17 00:00:00 2001 +From: Andre lorbach +Date: Mon, 27 Jun 2022 14:39:07 +0200 +Subject: [PATCH] [backport] OpenSSL: fix depreacted API issues for OpenSSL 3.x + +- OpenSSL error strings are loaded automatically now +- Debug Callback has changed +- See for more: + https://www.openssl.org/docs/manmaster/man7/migration_guide.html + +closes: https://github.com/rsyslog/rsyslog/issues/4912 +--- + +Conflict:NA +Reference:https://github.com/rsyslog/rsyslog/commit/bd4d4a6c5ccf6c0d279e6c45bf719433bc48105d + +--- +--- + runtime/nsd_ossl.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index 13f697704..5d8ebd86c 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -31,6 +31,9 @@ + #include + #include + #include ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++# include ++#endif + #include + #include + #include +@@ -294,16 +297,20 @@ int verify_callback(int status, X509_STORE_CTX *store) + return status; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++long BIO_debug_callback_ex(BIO *bio, int cmd, const char __attribute__((unused)) *argp, ++ size_t __attribute__((unused)) len, int argi, long __attribute__((unused)) argl, ++ int ret, size_t __attribute__((unused)) *processed) ++#else + long BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *argp, + int argi, long __attribute__((unused)) argl, long ret) ++#endif + { ++ long ret2 = ret; // Helper value to avoid printf compile errors long<>int + long r = 1; +- + if (BIO_CB_RETURN & cmd) + r = ret; +- + dbgprintf("openssl debugmsg: BIO[%p]: ", (void *)bio); +- + switch (cmd) { + case BIO_CB_FREE: + dbgprintf("Free - %s\n", RSYSLOG_BIO_method_name(bio)); +@@ -350,19 +357,19 @@ long BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *a + RSYSLOG_BIO_method_name(bio)); + break; + case BIO_CB_RETURN | BIO_CB_READ: +- dbgprintf("read return %ld\n", ret); ++ dbgprintf("read return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_WRITE: +- dbgprintf("write return %ld\n", ret); ++ dbgprintf("write return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_GETS: +- dbgprintf("gets return %ld\n", ret); ++ dbgprintf("gets return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_PUTS: +- dbgprintf("puts return %ld\n", ret); ++ dbgprintf("puts return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_CTRL: +- dbgprintf("ctrl return %ld\n", ret); ++ dbgprintf("ctrl return %ld\n", ret2); + break; + default: + dbgprintf("bio callback - unknown type (%d)\n", cmd); +@@ -420,9 +427,19 @@ osslGlblInit(void) + + /* Load readable error strings */ + SSL_load_error_strings(); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++ /* ++ * ERR_load_*(), ERR_func_error_string(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_get_state() ++ * OpenSSL now loads error strings automatically so these functions are not needed. ++ * SEE FOR MORE: ++ * https://www.openssl.org/docs/manmaster/man7/migration_guide.html ++ * ++ */ ++#else ++ /* Load error strings into mem*/ + ERR_load_BIO_strings(); + ERR_load_crypto_strings(); +- ++#endif + RETiRet; + } + +@@ -557,7 +574,11 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe + dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn); + + /* Set debug Callback for conn BIO as well! */ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++ BIO_set_callback_ex(conn, BIO_debug_callback_ex); ++#else + BIO_set_callback(conn, BIO_debug_callback); ++#endif + + /* TODO: still needed? Set to NON blocking ! */ + BIO_set_nbio( conn, 1 ); +-- +2.12.3 + diff --git a/backport-bugfix-prevent-pot.-segfault-when-switchung.patch b/backport-bugfix-prevent-pot.-segfault-when-switchung.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed493d19cf06366085f0e0b4a4a745042cf91ad5 --- /dev/null +++ b/backport-bugfix-prevent-pot.-segfault-when-switchung.patch @@ -0,0 +1,57 @@ +From 1807410d18519520ed813dd4b9d2b2d34e583415 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Sun, 30 Oct 2022 18:43:26 +0100 +Subject: [PATCH] [backport] bugfix: prevent pot. segfault when switchung to + queue emergency mode + +When switching to Disk queue emergency mode, we destructed the in-memory +queue object. Practice has shown that this MAY cause races during +destruction which themselfs can lead to segfault. For that reason, we +now keep the disk queueu object. This will keep some ressources, +including disk space, allocated. But we prefer that over a segfault. +After all, it only happens after a serious queue error when we are +already at the edge of hard problems. + +see also: https://github.com/rsyslog/rsyslog/issues/4963 + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/eaac48d0d23afe0146454cd9f5004ddcb47cc81b + +--- +--- + runtime/queue.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/runtime/queue.c b/runtime/queue.c +index b3fdd5101..856b4df25 100644 +--- a/runtime/queue.c ++++ b/runtime/queue.c +@@ -794,8 +794,12 @@ static rsRetVal qDelLinkedList(qqueue_t *pThis) + /* The following function is used to "save" ourself from being killed by + * a fatally failed disk queue. A fatal failure is, for example, if no + * data can be read or written. In that case, the disk support is disabled, +- * with all on-disk structures kept as-is as much as possible. Instead, the +- * queue is switched to direct mode, so that at least ++ * with all on-disk structures kept as-is as much as possible. However, ++ * we do not really stop or destruct the in-memory disk queue object. ++ * Practice has shown that this may cause races during destruction which ++ * themselfs can lead to segfault. So we prefer to was some ressources by ++ * keeping the queue active. ++ * Instead, the queue is switched to direct mode, so that at least + * some processing can happen. Of course, this may still have lots of + * undesired side-effects, but is probably better than aborting the + * syslogd. Note that this function *must* succeed in one way or another, as +@@ -808,7 +812,6 @@ queueSwitchToEmergencyMode(qqueue_t *pThis, rsRetVal initiatingError) + { + pThis->iQueueSize = 0; + pThis->nLogDeq = 0; +- qDestructDisk(pThis); /* free disk structures */ + + pThis->qType = QUEUETYPE_DIRECT; + pThis->qConstruct = qConstructDirect; +-- +2.12.3 + diff --git a/backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch b/backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch new file mode 100644 index 0000000000000000000000000000000000000000..4924ae06119e8d8405af6f98370bc0c293b11b1c --- /dev/null +++ b/backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch @@ -0,0 +1,84 @@ +From deefc958c388995fac99c581284fb86eb9653ece Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Thu, 23 Mar 2023 10:58:32 +0100 +Subject: [PATCH] [backport] core/bugfix: using $uuid msg prop can deadlock + rsyslog on shutdown + +This problem can occur if a large number of threads is used and rsyslog +cannot shut down all queues etc within the regular time interval. In this +case, it cancels some threads. That can leave the mutex guarding libuuid +calls locked and thus prevents other, not yet cancelled threads from +progressing. Assuming pthread_mutex_lock() is not a cancellation point, +this will case these other threads to hang forever and thus create a +deadlock situation. + +closes https://github.com/rsyslog/rsyslog/issues/5104 + +--- + +Conflict:runtime/msg.c +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/82687e14fbf3d854e8cc954efb9fb0efa69a28d2 + +--- +--- + runtime/msg.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/runtime/msg.c b/runtime/msg.c +index 73b7cec80..a3ddb8684 100644 +--- a/runtime/msg.c ++++ b/runtime/msg.c +@@ -7,7 +7,7 @@ + * of the "old" message code without any modifications. However, it + * helps to have things at the right place one we go to the meat of it. + * +- * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH. ++ * Copyright 2007-2023 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of the rsyslog runtime library. + * +@@ -1618,13 +1618,22 @@ msgSetPRI(smsg_t *const __restrict__ pMsg, syslog_pri_t pri) + /* note: libuuid seems not to be thread-safe, so we need + * to get some safeguards in place. + */ ++static pthread_mutex_t mutUUID = PTHREAD_MUTEX_INITIALIZER; ++ ++static void call_uuid_generate(uuid_t uuid) ++{ ++ pthread_mutex_lock(&mutUUID); ++ pthread_cleanup_push(mutexCancelCleanup, &mutUUID); ++ uuid_generate(uuid); ++ pthread_cleanup_pop(1); ++} ++ + static void msgSetUUID(smsg_t * const pM) + { + size_t lenRes = sizeof(uuid_t) * 2 + 1; + char hex_char [] = "0123456789ABCDEF"; + unsigned int byte_nbr; + uuid_t uuid; +- static pthread_mutex_t mutUUID = PTHREAD_MUTEX_INITIALIZER; + + dbgprintf("[MsgSetUUID] START, lenRes %llu\n", (long long unsigned) lenRes); + assert(pM != NULL); +@@ -1632,9 +1641,7 @@ static void msgSetUUID(smsg_t * const pM) + if((pM->pszUUID = (uchar*) malloc(lenRes)) == NULL) { + pM->pszUUID = (uchar *)""; + } else { +- pthread_mutex_lock(&mutUUID); +- uuid_generate(uuid); +- pthread_mutex_unlock(&mutUUID); ++ call_uuid_generate(uuid); + for (byte_nbr = 0; byte_nbr < sizeof (uuid_t); byte_nbr++) { + pM->pszUUID[byte_nbr * 2 + 0] = hex_char[uuid [byte_nbr] >> 4]; + pM->pszUUID[byte_nbr * 2 + 1] = hex_char[uuid [byte_nbr] & 15]; +@@ -5352,5 +5359,3 @@ BEGINObjClassInit(msg, 1, OBJ_IS_CORE_MODULE) + INIT_ATOMIC_HELPER_MUT(mutTrimCtr); + # endif + ENDObjClassInit(msg) +-/* vim:set ai: +- */ +-- +2.12.3 + diff --git a/backport-core-template-implement-negative-position.t.patch b/backport-core-template-implement-negative-position.t.patch new file mode 100644 index 0000000000000000000000000000000000000000..b15a93f7367c9a32218e8fa024a054902d608401 --- /dev/null +++ b/backport-core-template-implement-negative-position.t.patch @@ -0,0 +1,137 @@ +From 51aca777b6236af77344fd86852bd13bb4643fa9 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 18 Jan 2023 17:27:08 +0100 +Subject: [PATCH] [backport] core/template: implement negative position.to + +This will easily permit to drop the last n characters from a property +without the need to know the exact length of the string. This is +especially useful as the exact length is most often not known +beforehand. + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/7245abb7099b47deaa63164f221a309b3762f247 + +--- +--- + runtime/msg.c | 9 ++++++++- + template.c | 10 ++++++---- + tests/Makefile.am | 2 ++ + tests/template-topos-neg.sh | 19 +++++++++++++++++++ + 4 files changed, 35 insertions(+), 5 deletions(-) + create mode 100755 tests/template-topos-neg.sh + +diff --git a/runtime/msg.c b/runtime/msg.c +index ee0d75735..73b7cec80 100644 +--- a/runtime/msg.c ++++ b/runtime/msg.c +@@ -4132,8 +4132,15 @@ uchar *MsgGetProp(smsg_t *__restrict__ const pMsg, struct templateEntry *__restr + /* need to zero-base to and from (they are 1-based!) */ + if(iFrom > 0) + --iFrom; +- if(iTo > 0) ++ if(iTo > 0) { + --iTo; ++ } else if(iTo < 0) { ++ /* note: we ADD negative value, 0-based (-1)! */ ++ iTo = bufLen - 1 + iTo; ++ if(iTo < 0) { ++ iTo = 0; ++ } ++ } + } + if(iFrom >= bufLen) { + DBGPRINTF("msgGetProp: iFrom %d >= buflen %d, returning empty string\n", +diff --git a/template.c b/template.c +index 18bcda704..319c0ab7c 100644 +--- a/template.c ++++ b/template.c +@@ -1467,7 +1467,8 @@ createPropertyTpe(struct template *pTpl, struct cnfobj *o) + int spifno1stsp = 0; + int mandatory = 0; + int frompos = -1; +- int topos = -1; ++ int topos = 0; ++ int topos_set = 0; + int fieldnum = -1; + int fielddelim = 9; /* default is HT (USACSII 9) */ + int fixedwidth = 0; +@@ -1551,6 +1552,7 @@ createPropertyTpe(struct template *pTpl, struct cnfobj *o) + bComplexProcessing = 1; + } else if(!strcmp(pblkProperty.descr[i].name, "position.to")) { + topos = pvals[i].val.d.n; ++ topos_set = 1; + bComplexProcessing = 1; + } else if(!strcmp(pblkProperty.descr[i].name, "position.relativetoend")) { + bPosRelativeToEnd = pvals[i].val.d.n; +@@ -1732,9 +1734,9 @@ createPropertyTpe(struct template *pTpl, struct cnfobj *o) + } + + /* sanity check */ +- if(topos == -1 && frompos != -1) ++ if(topos_set == 0 && frompos != -1) + topos = 2000000000; /* large enough ;) */ +- if(frompos == -1 && topos != -1) ++ if(frompos == -1 && topos_set != 0) + frompos = 0; + if(bPosRelativeToEnd) { + if(topos > frompos) { +@@ -1743,7 +1745,7 @@ createPropertyTpe(struct template *pTpl, struct cnfobj *o) + ABORT_FINALIZE(RS_RET_ERR); + } + } else { +- if(topos < frompos) { ++ if((topos >= 0) && (topos < frompos)) { + LogError(0, RS_RET_ERR, "position.to=%d is lower than postion.from=%d\n", + topos, frompos); + ABORT_FINALIZE(RS_RET_ERR); +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 1247b08ab..42822d65a 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -243,6 +243,7 @@ TESTS += \ + template-pos-from-to-oversize-lowercase.sh \ + template-pos-from-to-missing-jsonvar.sh \ + template-const-jsonf.sh \ ++ template-topos-neg.sh \ + fac_authpriv.sh \ + fac_local0.sh \ + fac_local7.sh \ +@@ -1966,6 +1967,7 @@ EXTRA_DIST= \ + template-pos-from-to-oversize-lowercase.sh \ + template-pos-from-to-missing-jsonvar.sh \ + template-const-jsonf.sh \ ++ template-topos-neg.sh \ + fac_authpriv.sh \ + fac_local0.sh \ + fac_local0-vg.sh \ +diff --git a/tests/template-topos-neg.sh b/tests/template-topos-neg.sh +new file mode 100755 +index 000000000..d17fdb7b6 +--- /dev/null ++++ b/tests/template-topos-neg.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# This is part of the rsyslog testbench, licensed under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++generate_conf ++add_conf ' ++template(name="out" type="list") { ++ property(name="STRUCTURED-DATA" position.from="2" position.to="-1") ++ constant(value="\n") ++} ++ ++local4.debug action(type="omfile" template="out" file="'$RSYSLOG_OUT_LOG'") ++' ++startup ++injectmsg_literal '<167>1 2003-03-01T01:00:00.000Z hostname1 sender - tag [tcpflood@32473 MSGNUM="0"] msgnum:irrelevant' ++shutdown_when_empty ++wait_shutdown ++export EXPECTED='tcpflood@32473 MSGNUM="0"' ++cmp_exact ++exit_test +-- +2.12.3 + diff --git a/backport-imjournal-add-second-fallback-to-_COMM.patch b/backport-imjournal-add-second-fallback-to-_COMM.patch new file mode 100644 index 0000000000000000000000000000000000000000..eba679ccbb47a70cb82f41ab30aee146aab7d9fd --- /dev/null +++ b/backport-imjournal-add-second-fallback-to-_COMM.patch @@ -0,0 +1,38 @@ +From 45900dd550e0aca724a4ec66c2833de3d27565e1 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 31 Oct 2022 14:40:12 +0100 +Subject: [PATCH] [backport] imjournal: add second fallback to _COMM + +If SYSLOG_IDENTIFIER is not present in the journal message, +then lookup the _COMM field, which stands for the name +of the process the journal entry originates from. This is +needed in order to be in compliance with the journalctl +output. + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/fb5ae30e6ac4dc584dd9c5463e27e7fc5e9060a4 + +--- +--- + plugins/imjournal/imjournal.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/plugins/imjournal/imjournal.c b/plugins/imjournal/imjournal.c +index 6fb3b7a07..4d9e59966 100644 +--- a/plugins/imjournal/imjournal.c ++++ b/plugins/imjournal/imjournal.c +@@ -453,6 +453,8 @@ readjournal(void) + /* Get message identifier, client pid and add ':' */ + if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) { + CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden)); ++ } else if (journalGetData("_COMM", &get, &length) >= 0) { ++ CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden)); + } else { + CHKmalloc(sys_iden = strdup("journal")); + } +-- +2.12.3 + diff --git a/backport-imptcp-bugfix-spam-log-on-oversize-message.patch b/backport-imptcp-bugfix-spam-log-on-oversize-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..c0b3d13cc63710ff2f653523a6713c9e688b71cd --- /dev/null +++ b/backport-imptcp-bugfix-spam-log-on-oversize-message.patch @@ -0,0 +1,40 @@ +From 115b193cb8565d0221c8f9142f419f2429658d2b Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Tue, 21 Mar 2023 17:13:28 +0100 +Subject: [PATCH] [backport] imptcp bugfix: spam log on oversize message + +If an oversize message was received by imptcp, imptcp reported +one error message for EACH oversize character. This could +result in a potentially very large number of similar (and +useless) messages. + +This is a regression from commit f052717178. + +closes https://github.com/rsyslog/rsyslog/issues/5078 + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/2e8b48258f41bd33b1439ae6e3d2abcd05c5c1be + +--- +--- + plugins/imptcp/imptcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c +index 50d233cb1..f631749f2 100644 +--- a/plugins/imptcp/imptcp.c ++++ b/plugins/imptcp/imptcp.c +@@ -1172,6 +1172,7 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + "max msg size; message will be split starting at: \"%.*s\"\n", + pThis->pLstn->pSrv->pszInputName, i, (i < 32) ? i : 32, *buff); + doSubmitMsg(pThis, stTime, ttGenTime, pMultiSub); ++ iMsg = 0; + ++(*pnMsgs); + if(pThis->pLstn->pSrv->discardTruncatedMsg == 1) { + pThis->inputState = eInMsgTruncation; +-- +2.12.3 + diff --git a/backport-imptcp-slight-tuning.patch b/backport-imptcp-slight-tuning.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c7ebafecc1aac8f75a3452929e142d5ee2df570 --- /dev/null +++ b/backport-imptcp-slight-tuning.patch @@ -0,0 +1,227 @@ +From ce810be954d2db00060a352f3e0c0fd7011ba3d6 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 13 Jul 2022 10:04:34 +0200 +Subject: [PATCH] [backport] imptcp: slight tuning + +- reduce indirect addressing to obtain more speed +- also a fix for an annoying typo +- minor other optimizations +- modernization of one test + +``` + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/f052717178dac12f6891932667bdca07af2a0d46 + +``` +--- + plugins/imptcp/imptcp.c | 76 +++++++++++++++++++++++++--------------------- + tests/imptcp_multi_line.sh | 10 ++---- + 2 files changed, 44 insertions(+), 42 deletions(-) + +diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c +index 72e32dd5f..c917f28f0 100644 +--- a/plugins/imptcp/imptcp.c ++++ b/plugins/imptcp/imptcp.c +@@ -317,6 +317,8 @@ struct ptcpsess_s { + uchar *pMsg_save; /* message (fragment) save area in regex framing mode */ + prop_t *peerName; /* host name we received messages from */ + prop_t *peerIP; ++ const uchar *startRegex;/* cache for performance reasons */ ++ int iAddtlFrameDelim; /* cache for performance reasons */ + }; + + +@@ -1062,7 +1064,7 @@ processDataRcvd_regexFraming(ptcpsess_t *const __restrict__ pThis, + * rgerhards, 2008-03-14 + * EXTRACT from tcps_sess.c + */ +-static rsRetVal ++static rsRetVal ATTR_NONNULL(1, 2) + processDataRcvd(ptcpsess_t *const __restrict__ pThis, + char **buff, + const int buffLen, +@@ -1072,14 +1074,10 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + unsigned *const __restrict__ pnMsgs) + { + DEFiRet; +- char c = **buff; +- int octatesToCopy, octatesToDiscard; +- uchar *propPeerName = NULL; +- int lenPeerName = 0; +- uchar *propPeerIP = NULL; +- int lenPeerIP = 0; +- +- if(pThis->pLstn->pSrv->inst->startRegex != NULL) { ++ const char c = **buff; ++ int octetsToCopy, octetsToDiscard; ++ ++ if(pThis->startRegex != NULL) { + processDataRcvd_regexFraming(pThis, buff, stTime, ttGenTime, pMultiSub, pnMsgs); + FINALIZE; + } +@@ -1103,6 +1101,10 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + } + + if(pThis->inputState == eInOctetCnt) { ++ uchar *propPeerName = NULL; ++ int lenPeerName = 0; ++ uchar *propPeerIP = NULL; ++ int lenPeerIP = 0; + if(isdigit(c)) { + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; +@@ -1149,21 +1151,21 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + } + } else if(pThis->inputState == eInMsgTruncation) { + if ((c == '\n') +- || ((pThis->pLstn->pSrv->iAddtlFrameDelim != TCPSRV_NO_ADDTL_DELIMITER) +- && (c == pThis->pLstn->pSrv->iAddtlFrameDelim))) { ++ || ((pThis->iAddtlFrameDelim != TCPSRV_NO_ADDTL_DELIMITER) ++ && (c == pThis->iAddtlFrameDelim))) { + pThis->inputState = eAtStrtFram; + } + } else { + assert(pThis->inputState == eInMsg); +- + if (pThis->eFraming == TCP_FRAMING_OCTET_STUFFING) { +- if(pThis->iMsg >= iMaxLine) { ++ int iMsg = pThis->iMsg; /* cache value for faster access */ ++ if(iMsg >= iMaxLine) { + /* emergency, we now need to flush, no matter if we are at end of message or not... */ + int i = 1; + char currBuffChar; + while(i < buffLen && ((currBuffChar = (*buff)[i]) != '\n' +- && (pThis->pLstn->pSrv->iAddtlFrameDelim == TCPSRV_NO_ADDTL_DELIMITER +- || currBuffChar != pThis->pLstn->pSrv->iAddtlFrameDelim))) { ++ && (pThis->iAddtlFrameDelim == TCPSRV_NO_ADDTL_DELIMITER ++ || currBuffChar != pThis->iAddtlFrameDelim))) { + i++; + } + LogError(0, NO_ERRCODE, "imptcp %s: message received is at least %d byte larger than " +@@ -1181,21 +1183,23 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + */ + } + if ((c == '\n') +- || ((pThis->pLstn->pSrv->iAddtlFrameDelim != TCPSRV_NO_ADDTL_DELIMITER) +- && (c == pThis->pLstn->pSrv->iAddtlFrameDelim)) ++ || ((pThis->iAddtlFrameDelim != TCPSRV_NO_ADDTL_DELIMITER) ++ && (c == pThis->iAddtlFrameDelim)) + ) { /* record delimiter? */ + if(pThis->pLstn->pSrv->multiLine) { + if((buffLen == 1) || ((*buff)[1] == '<')) { + doSubmitMsg(pThis, stTime, ttGenTime, pMultiSub); ++ iMsg = 0; /* Reset cached value! */ + ++(*pnMsgs); + pThis->inputState = eAtStrtFram; + } else { +- if(pThis->iMsg < iMaxLine) { +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(iMsg < iMaxLine) { ++ pThis->pMsg[iMsg++] = c; + } + } + } else { + doSubmitMsg(pThis, stTime, ttGenTime, pMultiSub); ++ iMsg = 0; /* Reset cached value! */ + ++(*pnMsgs); + pThis->inputState = eAtStrtFram; + } +@@ -1205,26 +1209,27 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + * we truncate it. This is the best we can do in light of what the engine supports. + * -- rgerhards, 2008-03-14 + */ +- if(pThis->iMsg < iMaxLine) { +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(likely(iMsg < iMaxLine)) { ++ pThis->pMsg[iMsg++] = c; + } + } ++ pThis->iMsg = iMsg; /* update "real value" with cached one */ + } else { + assert(pThis->eFraming == TCP_FRAMING_OCTET_COUNTING); +- octatesToCopy = pThis->iOctetsRemain; +- octatesToDiscard = 0; +- if (buffLen < octatesToCopy) { +- octatesToCopy = buffLen; ++ octetsToCopy = pThis->iOctetsRemain; ++ octetsToDiscard = 0; ++ if (buffLen < octetsToCopy) { ++ octetsToCopy = buffLen; + } +- if (octatesToCopy + pThis->iMsg > iMaxLine) { +- octatesToDiscard = octatesToCopy - (iMaxLine - pThis->iMsg); +- octatesToCopy = iMaxLine - pThis->iMsg; ++ if (octetsToCopy + pThis->iMsg > iMaxLine) { ++ octetsToDiscard = octetsToCopy - (iMaxLine - pThis->iMsg); ++ octetsToCopy = iMaxLine - pThis->iMsg; + } + +- memcpy(pThis->pMsg + pThis->iMsg, *buff, octatesToCopy); +- pThis->iMsg += octatesToCopy; +- pThis->iOctetsRemain -= (octatesToCopy + octatesToDiscard); +- *buff += (octatesToCopy + octatesToDiscard - 1); ++ memcpy(pThis->pMsg + pThis->iMsg, *buff, octetsToCopy); ++ pThis->iMsg += octetsToCopy; ++ pThis->iOctetsRemain -= (octetsToCopy + octetsToDiscard); ++ *buff += (octetsToCopy + octetsToDiscard - 1); + if (pThis->iOctetsRemain == 0) { + /* we have end of frame! */ + doSubmitMsg(pThis, stTime, ttGenTime, pMultiSub); +@@ -1256,8 +1261,8 @@ finalize_it: + * we have just received a bunch of data! -- rgerhards, 2009-06-16 + * EXTRACT from tcps_sess.c + */ +-static rsRetVal +-DataRcvdUncompressed(ptcpsess_t *pThis, char *pData, size_t iLen, struct syslogTime *stTime, time_t ttGenTime) ++static rsRetVal ATTR_NONNULL(1, 2) ++DataRcvdUncompressed(ptcpsess_t *pThis, char *pData, const size_t iLen, struct syslogTime *stTime, time_t ttGenTime) + { + multi_submit_t multiSub; + smsg_t *pMsgs[CONF_NUM_MULTISUB]; +@@ -1265,7 +1270,6 @@ DataRcvdUncompressed(ptcpsess_t *pThis, char *pData, size_t iLen, struct syslogT + unsigned nMsgs = 0; + DEFiRet; + +- assert(pData != NULL); + assert(iLen > 0); + + if(ttGenTime == 0) +@@ -1519,6 +1523,8 @@ addSess(ptcplstn_t *pLstn, int sock, prop_t *peerName, prop_t *peerIP) + pSess->peerName = peerName; + pSess->peerIP = peerIP; + pSess->compressionMode = pLstn->pSrv->compressionMode; ++ pSess->startRegex = pLstn->pSrv->inst->startRegex; ++ pSess->iAddtlFrameDelim = pLstn->pSrv->iAddtlFrameDelim; + + /* add to start of server's listener list */ + pSess->prev = NULL; +diff --git a/tests/imptcp_multi_line.sh b/tests/imptcp_multi_line.sh +index 3c058ac70..f21fae847 100755 +--- a/tests/imptcp_multi_line.sh ++++ b/tests/imptcp_multi_line.sh +@@ -15,17 +15,13 @@ startup + tcpflood -B -I ${srcdir}/testsuites/imptcp_multi_line.testdata + shutdown_when_empty # shut down rsyslogd when done processing messages + wait_shutdown # and wait for it to terminate +-echo 'NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test1 ++export EXPECTED='NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test1 + NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test2 + NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag multi#012line1 + NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag multi#012l#012i#012n#012#012e2 + NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test3 + NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag multi#012line3 + NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test4 +-NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test end' | cmp - $RSYSLOG_OUT_LOG +-if [ ! $? -eq 0 ]; then +- echo "invalid response generated, $RSYSLOG_OUT_LOG is:" +- cat $RSYSLOG_OUT_LOG +- error_exit 1 +-fi; ++NEWMSG: <133>Mar 1 01:00:00 172.20.245.8 tag test end' ++cmp_exact + exit_test +-- +2.12.3 + diff --git a/backport-imtcp-add-option-notifyonconnectionopen.patch b/backport-imtcp-add-option-notifyonconnectionopen.patch new file mode 100644 index 0000000000000000000000000000000000000000..6698745a37274237a3df290795a32de1d84e8027 --- /dev/null +++ b/backport-imtcp-add-option-notifyonconnectionopen.patch @@ -0,0 +1,292 @@ +From 8f97f8c283d1939aa2936ce1090239d759919332 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Tue, 23 Aug 2022 12:19:38 +0200 +Subject: [PATCH] [backport] imtcp: add option notifyonconnectionopen + +Add this both as module an input parameter. Complements already-existing +config param notifyonconnectionclose and mirrors the similar feature from +imptcp. + +The module parameter acts as default, similarly to notifyonconnectionclose. + +Note that in contrast to imptcp, we emit IP addresses and not host +names. This sticks with the traditional semantics of imtcp. + +Note that we also fixed a mislading error message in the case when a +disallowed sender tried to connect. + +Thanks to John Chivian for suggesting the addition. + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/4c66ab3abcb17fbf69fb317bae379db0054f327a + +--- +--- + plugins/imtcp/imtcp.c | 14 +++++++++++++- + runtime/tcpsrv.c | 28 ++++++++++++++++++++++++---- + runtime/tcpsrv.h | 6 ++++-- + tests/allowed-sender-tcp-fail.sh | 2 +- + tests/allowed-sender-tcp-hostname-fail.sh | 2 +- + tests/imtcp-connection-msg-recieved.sh | 3 ++- + 6 files changed, 45 insertions(+), 10 deletions(-) + +diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c +index c38942c89..33eaf9c87 100644 +--- a/plugins/imtcp/imtcp.c ++++ b/plugins/imtcp/imtcp.c +@@ -4,7 +4,7 @@ + * File begun on 2007-12-21 by RGerhards (extracted from syslogd.c, + * which at the time of the rsyslog fork was BSD-licensed) + * +- * Copyright 2007-2021 Adiscon GmbH. ++ * Copyright 2007-2022 Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -104,6 +104,7 @@ static struct configSettings_s { + int iKeepAliveProbes; + int iKeepAliveTime; + int bEmitMsgOnClose; ++ int bEmitMsgOnOpen; + int iAddtlFrameDelim; + int maxFrameSize; + int bDisableLFDelim; +@@ -136,6 +137,7 @@ struct instanceConf_s { + int bDisableLFDelim; + int discardTruncatedMsg; + int bEmitMsgOnClose; ++ int bEmitMsgOnOpen; + int bPreserveCase; + uchar *pszStrmDrvrName; /* stream driver to use */ + int iStrmDrvrMode; +@@ -177,6 +179,7 @@ struct modConfData_s { + int iKeepAliveProbes; + int iKeepAliveTime; + sbool bEmitMsgOnClose; /* emit an informational message on close by remote peer */ ++ sbool bEmitMsgOnOpen; /* emit an informational message on close by remote peer */ + uchar *gnutlsPriorityString; + uchar *pszStrmDrvrName; /* stream driver to use */ + uchar *pszStrmDrvrAuthMode; /* authentication mode to use */ +@@ -199,6 +202,7 @@ static struct cnfparamdescr modpdescr[] = { + { "discardtruncatedmsg", eCmdHdlrBinary, 0 }, + { "octetcountedframing", eCmdHdlrBinary, 0 }, + { "notifyonconnectionclose", eCmdHdlrBinary, 0 }, ++ { "notifyonconnectionopen", eCmdHdlrBinary, 0 }, + { "addtlframedelimiter", eCmdHdlrNonNegInt, 0 }, + { "maxframesize", eCmdHdlrInt, 0 }, + { "maxsessions", eCmdHdlrPositiveInt, 0 }, +@@ -234,6 +238,7 @@ static struct cnfparamdescr inppdescr[] = { + { "disablelfdelimiter", eCmdHdlrBinary, 0 }, + { "discardtruncatedmsg", eCmdHdlrBinary, 0 }, + { "notifyonconnectionclose", eCmdHdlrBinary, 0 }, ++ { "notifyonconnectionopen", eCmdHdlrBinary, 0 }, + { "addtlframedelimiter", eCmdHdlrNonNegInt, 0 }, + { "maxframesize", eCmdHdlrInt, 0 }, + { "preservecase", eCmdHdlrBinary, 0 }, +@@ -383,6 +388,7 @@ createInstance(instanceConf_t **pinst) + inst->bDisableLFDelim = loadModConf->bDisableLFDelim; + inst->discardTruncatedMsg = loadModConf->discardTruncatedMsg; + inst->bEmitMsgOnClose = loadModConf->bEmitMsgOnClose; ++ inst->bEmitMsgOnOpen = loadModConf->bEmitMsgOnOpen; + inst->bPreserveCase = loadModConf->bPreserveCase; + inst->iTCPLstnMax = loadModConf->iTCPLstnMax; + inst->iTCPSessMax = loadModConf->iTCPSessMax; +@@ -496,6 +502,7 @@ addListner(modConfData_t *modConf, instanceConf_t *inst) + CHKiRet(tcpsrv.SetbDisableLFDelim(pOurTcpsrv, inst->bDisableLFDelim)); + CHKiRet(tcpsrv.SetDiscardTruncatedMsg(pOurTcpsrv, inst->discardTruncatedMsg)); + CHKiRet(tcpsrv.SetNotificationOnRemoteClose(pOurTcpsrv, inst->bEmitMsgOnClose)); ++ CHKiRet(tcpsrv.SetNotificationOnRemoteOpen(pOurTcpsrv, inst->bEmitMsgOnOpen)); + CHKiRet(tcpsrv.SetPreserveCase(pOurTcpsrv, inst->bPreserveCase)); + /* now set optional params, but only if they were actually configured */ + psz = (inst->pszStrmDrvrName == NULL) ? modConf->pszStrmDrvrName : inst->pszStrmDrvrName; +@@ -643,6 +650,8 @@ CODESTARTnewInpInst + inst->discardTruncatedMsg = (int) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "notifyonconnectionclose")) { + inst->bEmitMsgOnClose = (int) pvals[i].val.d.n; ++ } else if(!strcmp(inppblk.descr[i].name, "notifyonconnectionopen")) { ++ inst->bEmitMsgOnOpen = (int) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "addtlframedelimiter")) { + inst->iAddtlFrameDelim = (int) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "maxframesize")) { +@@ -705,6 +714,7 @@ CODESTARTbeginCnfLoad + loadModConf->iKeepAliveProbes = 0; + loadModConf->iKeepAliveTime = 0; + loadModConf->bEmitMsgOnClose = 0; ++ loadModConf->bEmitMsgOnOpen = 0; + loadModConf->iAddtlFrameDelim = TCPSRV_NO_ADDTL_DELIMITER; + loadModConf->maxFrameSize = 200000; + loadModConf->bDisableLFDelim = 0; +@@ -754,6 +764,8 @@ CODESTARTsetModCnf + loadModConf->bSuppOctetFram = (int) pvals[i].val.d.n; + } else if(!strcmp(modpblk.descr[i].name, "notifyonconnectionclose")) { + loadModConf->bEmitMsgOnClose = (int) pvals[i].val.d.n; ++ } else if(!strcmp(modpblk.descr[i].name, "notifyonconnectionopen")) { ++ loadModConf->bEmitMsgOnOpen = (int) pvals[i].val.d.n; + } else if(!strcmp(modpblk.descr[i].name, "addtlframedelimiter")) { + loadModConf->iAddtlFrameDelim = (int) pvals[i].val.d.n; + } else if(!strcmp(modpblk.descr[i].name, "maxframesize")) { +diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c +index 2feb2ccc3..9b83cc9f7 100644 +--- a/runtime/tcpsrv.c ++++ b/runtime/tcpsrv.c +@@ -21,7 +21,7 @@ + * File begun on 2007-12-21 by RGerhards (extracted from syslogd.c[which was + * licensed under BSD at the time of the rsyslog fork]) + * +- * Copyright 2007-2021 Adiscon GmbH. ++ * Copyright 2007-2022 Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -441,7 +441,7 @@ SessAccept(tcpsrv_t *pThis, tcpLstnPortList_t *pLstnInfo, tcps_sess_t **ppSess, + int iSess = -1; + struct sockaddr_storage *addr; + uchar *fromHostFQDN = NULL; +- prop_t *fromHostIP; ++ prop_t *fromHostIP = NULL; + + ISOBJ_TYPE_assert(pThis, tcpsrv); + assert(pLstnInfo != NULL); +@@ -496,7 +496,7 @@ SessAccept(tcpsrv_t *pThis, tcpLstnPortList_t *pLstnInfo, tcps_sess_t **ppSess, + DBGPRINTF("%s is not an allowed sender\n", fromHostFQDN); + if(glbl.GetOption_DisallowWarning()) { + errno = 0; +- LogError(0, RS_RET_HOST_NOT_PERMITTED, "TCP message from disallowed " ++ LogError(0, RS_RET_HOST_NOT_PERMITTED, "connection request from disallowed " + "sender %s discarded", fromHostFQDN); + } + ABORT_FINALIZE(RS_RET_HOST_NOT_PERMITTED); +@@ -523,8 +523,20 @@ SessAccept(tcpsrv_t *pThis, tcpLstnPortList_t *pLstnInfo, tcps_sess_t **ppSess, + pThis->pSessions[iSess] = pSess; + pSess = NULL; /* this is now also handed over */ + ++ if(pThis->bEmitMsgOnOpen) { ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "imtcp: connection established with host: %s", ++ propGetSzStr(fromHostIP)); ++ } ++ + finalize_it: + if(iRet != RS_RET_OK) { ++ if(iRet != RS_RET_HOST_NOT_PERMITTED && pThis->bEmitMsgOnOpen) { ++ LogError(0, NO_ERRCODE, "imtcp: connection could not be " ++ "established with host: %s", ++ fromHostIP == NULL ? "(IP unknown)" ++ : (const char*)propGetSzStr(fromHostIP)); ++ } + if(pSess != NULL) + tcps_sess.Destruct(&pSess); + if(pNewStrm != NULL) +@@ -1354,9 +1366,16 @@ SetLinuxLikeRatelimiters(tcpsrv_t *pThis, unsigned int ratelimitInterval, unsign + } + + ++/* Set connection open notification */ ++static rsRetVal ++SetNotificationOnRemoteOpen(tcpsrv_t *pThis, const int bNewVal) ++{ ++ pThis->bEmitMsgOnOpen = bNewVal; ++ return RS_RET_OK; ++} + /* Set connection close notification */ + static rsRetVal +-SetNotificationOnRemoteClose(tcpsrv_t *pThis, int bNewVal) ++SetNotificationOnRemoteClose(tcpsrv_t *pThis, const int bNewVal) + { + DEFiRet; + pThis->bEmitMsgOnClose = bNewVal; +@@ -1608,6 +1627,7 @@ CODESTARTobjQueryInterface(tcpsrv) + pIf->SetOnMsgReceive = SetOnMsgReceive; + pIf->SetLinuxLikeRatelimiters = SetLinuxLikeRatelimiters; + pIf->SetNotificationOnRemoteClose = SetNotificationOnRemoteClose; ++ pIf->SetNotificationOnRemoteOpen = SetNotificationOnRemoteOpen; + pIf->SetPreserveCase = SetPreserveCase; + pIf->SetDrvrCheckExtendedKeyUsage = SetDrvrCheckExtendedKeyUsage; + pIf->SetDrvrPrioritizeSAN = SetDrvrPrioritizeSAN; +diff --git a/runtime/tcpsrv.h b/runtime/tcpsrv.h +index c250f84ab..1a1613d52 100644 +--- a/runtime/tcpsrv.h ++++ b/runtime/tcpsrv.h +@@ -1,6 +1,6 @@ + /* Definitions for tcpsrv class. + * +- * Copyright 2008-2021 Adiscon GmbH. ++ * Copyright 2008-2022 Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -87,6 +87,7 @@ struct tcpsrv_s { + ruleset_t *pRuleset; /**< ruleset to bind to */ + permittedPeers_t *pPermPeers;/**< driver's permitted peers */ + sbool bEmitMsgOnClose; /**< emit an informational message when the remote peer closes connection */ ++ sbool bEmitMsgOnOpen; + sbool bUsingEPoll; /**< are we in epoll mode (means we do not need to keep track of sessions!) */ + sbool bUseFlowControl; /**< use flow control (make light delayable) */ + sbool bSPFramingFix; /**< support work-around for broken Cisco ASA framing? */ +@@ -174,6 +175,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */ + /* added v7 (accidently named v8!) */ + rsRetVal (*SetLstnMax)(tcpsrv_t *pThis, int iMaxLstn); /* 2009-08-17 */ + rsRetVal (*SetNotificationOnRemoteClose)(tcpsrv_t *pThis, int bNewVal); /* 2009-10-01 */ ++ rsRetVal (*SetNotificationOnRemoteOpen)(tcpsrv_t *pThis, int bNewVal); /* 2022-08-23 */ + /* added v9 -- rgerhards, 2010-03-01 */ + rsRetVal (*SetbDisableLFDelim)(tcpsrv_t*, int); + /* added v10 -- rgerhards, 2011-04-01 */ +@@ -209,7 +211,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */ + rsRetVal (*SetDrvrKeyFile)(tcpsrv_t *pThis, uchar *pszMode); + rsRetVal (*SetDrvrCertFile)(tcpsrv_t *pThis, uchar *pszMode); + ENDinterface(tcpsrv) +-#define tcpsrvCURR_IF_VERSION 25 /* increment whenever you change the interface structure! */ ++#define tcpsrvCURR_IF_VERSION 26 /* increment whenever you change the interface structure! */ + /* change for v4: + * - SetAddtlFrameDelim() added -- rgerhards, 2008-12-10 + * - SetInputName() added -- rgerhards, 2008-12-10 +diff --git a/tests/allowed-sender-tcp-fail.sh b/tests/allowed-sender-tcp-fail.sh +index 2dad643df..81b053e2a 100755 +--- a/tests/allowed-sender-tcp-fail.sh ++++ b/tests/allowed-sender-tcp-fail.sh +@@ -21,6 +21,6 @@ assign_tcpflood_port $RSYSLOG_DYNNAME.tcpflood_port + tcpflood -m$NUMMESSAGES + shutdown_when_empty + wait_shutdown +-content_check --regex "TCP message from disallowed sender .* discarded" ++content_check --regex "connection request from disallowed sender .* discarded" + check_file_not_exists "$RSYSLOG_DYNNAME.must-not-be-created" + exit_test +diff --git a/tests/allowed-sender-tcp-hostname-fail.sh b/tests/allowed-sender-tcp-hostname-fail.sh +index 01a9e81d4..01ec9d728 100755 +--- a/tests/allowed-sender-tcp-hostname-fail.sh ++++ b/tests/allowed-sender-tcp-hostname-fail.sh +@@ -26,6 +26,6 @@ assign_tcpflood_port $RSYSLOG_DYNNAME.tcpflood_port + tcpflood -m$NUMMESSAGES + shutdown_when_empty + wait_shutdown +-content_check --regex "TCP message from disallowed sender .* discarded" ++content_check --regex "connection request from disallowed sender .* discarded" + check_file_not_exists "$RSYSLOG_DYNNAME.must-not-be-created" + exit_test +diff --git a/tests/imtcp-connection-msg-recieved.sh b/tests/imtcp-connection-msg-recieved.sh +index 1b2db15a9..60d34974e 100755 +--- a/tests/imtcp-connection-msg-recieved.sh ++++ b/tests/imtcp-connection-msg-recieved.sh +@@ -5,7 +5,7 @@ generate_conf + add_conf ' + module(load="../plugins/imtcp/.libs/imtcp") + input(type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" +- notifyonconnectionclose="on") ++ notifyonconnectionopen="on" notifyonconnectionclose="on") + + :msg, contains, "msgnum:" { + action(type="omfile" file=`echo $RSYSLOG2_OUT_LOG`) +@@ -19,5 +19,6 @@ assign_tcpflood_port $RSYSLOG_DYNNAME.tcpflood_port + tcpflood -m1 -M"\"<129>Mar 10 01:00:00 172.20.245.8 tag: msgnum:1\"" + shutdown_when_empty + wait_shutdown ++content_check "connection established with " + content_check "closed by remote peer " + exit_test +-- +2.12.3 + diff --git a/backport-omfile-add-action-parameters-rotation.patch b/backport-omfile-add-action-parameters-rotation.patch new file mode 100644 index 0000000000000000000000000000000000000000..22666677a31415612c5632b5aa4fc7a8f74b7770 --- /dev/null +++ b/backport-omfile-add-action-parameters-rotation.patch @@ -0,0 +1,133 @@ +From 631288bbfc785bad0edca2e81f8861ec41860f86 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 11 Jan 2023 13:06:15 +0100 +Subject: [PATCH] [backport] omfile: add action parameters "rotation.*" + +Add new action parameters +- rotation.sizeLimit +- rotation.sizeLimitCommand +provide automatic output file rotation functionality feature-wise +equivalent to legacy $outchannel. This finally permits to use +this feature set in rscript. + +--- + +Conflict:tools/omfile.c +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/f95676d849f1869b3a0b4b5f2cdeed628c883ec3 + +--- +--- + tests/Makefile.am | 2 ++ + tests/omfile-sizelimitcmd-many.sh | 36 ++++++++++++++++++++++++++++++++++++ + tools/omfile.c | 10 +++++++++- + 3 files changed, 47 insertions(+), 1 deletion(-) + create mode 100755 tests/omfile-sizelimitcmd-many.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 42822d65a..47aee2a65 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1079,6 +1079,7 @@ TESTS += \ + rscript_hash32.sh \ + rscript_hash64.sh \ + rscript_replace.sh \ ++ omfile-sizelimitcmd-many.sh \ + omfile-outchannel-many.sh + if HAVE_VALGRIND + TESTS += \ +@@ -1912,6 +1913,7 @@ EXTRA_DIST= \ + omfile-read-only.sh \ + omfile-outchannel.sh \ + omfile-outchannel-many.sh \ ++ omfile-sizelimitcmd-many.sh \ + omfile_both_files_set.sh \ + omfile_hup.sh \ + omrabbitmq_no_params.sh \ +diff --git a/tests/omfile-sizelimitcmd-many.sh b/tests/omfile-sizelimitcmd-many.sh +new file mode 100755 +index 000000000..b1c8d0bd1 +--- /dev/null ++++ b/tests/omfile-sizelimitcmd-many.sh +@@ -0,0 +1,36 @@ ++#!/bin/bash ++# addd 2023-01-11 by RGerhards, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++export NUMMESSAGES=50000 ++echo "ls -l $RSYSLOG_DYNNAME.channel.* ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.9 $RSYSLOG_DYNNAME.channel.log.prev.10 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.8 $RSYSLOG_DYNNAME.channel.log.prev.9 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.7 $RSYSLOG_DYNNAME.channel.log.prev.8 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.6 $RSYSLOG_DYNNAME.channel.log.prev.7 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.5 $RSYSLOG_DYNNAME.channel.log.prev.6 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.4 $RSYSLOG_DYNNAME.channel.log.prev.5 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.3 $RSYSLOG_DYNNAME.channel.log.prev.4 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.2 $RSYSLOG_DYNNAME.channel.log.prev.3 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev.1 $RSYSLOG_DYNNAME.channel.log.prev.2 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log.prev $RSYSLOG_DYNNAME.channel.log.prev.1 2>/dev/null ++mv -f $RSYSLOG_DYNNAME.channel.log $RSYSLOG_DYNNAME.channel.log.prev ++" > $RSYSLOG_DYNNAME.rotate.sh ++chmod +x $RSYSLOG_DYNNAME.rotate.sh ++generate_conf ++add_conf ' ++template(name="outfmt" type="string" string="%msg:F,58:2%\n") ++ ++if $msg contains "msgnum:" then { ++ action(type="omfile" file="'$RSYSLOG_DYNNAME.channel.log'" template="outfmt" ++ rotation.sizeLimit="50k" ++ rotation.sizeLimitCommand="./'$RSYSLOG_DYNNAME.rotate.sh'") ++} ++' ++startup ++injectmsg ++shutdown_when_empty ++wait_shutdown ++ls -l $RSYSLOG_DYNNAME.channel.* ++cat $RSYSLOG_DYNNAME.channel.* > $RSYSLOG_OUT_LOG ++seq_check ++exit_test +diff --git a/tools/omfile.c b/tools/omfile.c +index 8f3a59fcc..39fb280be 100644 +--- a/tools/omfile.c ++++ b/tools/omfile.c +@@ -17,7 +17,7 @@ + * pipes. These have been moved to ompipe, to reduced the entanglement + * between the two different functionalities. -- rgerhards + * +- * Copyright 2007-2018 Adiscon GmbH. ++ * Copyright 2007-2023 Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -277,6 +277,8 @@ static struct cnfparamdescr actpdescr[] = { + { "sig.provider", eCmdHdlrGetWord, 0 }, + { "cry.provider", eCmdHdlrGetWord, 0 }, + { "closetimeout", eCmdHdlrPositiveInt, 0 }, ++ { "rotation.sizelimit", eCmdHdlrSize, 0 }, ++ { "rotation.sizelimitcommand", eCmdHdlrString, 0 }, + { "template", eCmdHdlrGetWord, 0 } + }; + static struct cnfparamblk actpblk = +@@ -1120,6 +1122,8 @@ setInstParamDefaults(instanceData *__restrict__ const pData) + pData->useSigprov = 0; + pData->useCryprov = 0; + pData->iCloseTimeout = -1; ++ pData->iSizeLimit = 0; ++ pData->pszSizeLimitCmd = NULL; + } + + +@@ -1333,6 +1337,10 @@ CODESTARTnewActInst + pData->cryprovName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(actpblk.descr[i].name, "closetimeout")) { + pData->iCloseTimeout = (int) pvals[i].val.d.n; ++ } else if(!strcmp(actpblk.descr[i].name, "rotation.sizelimit")) { ++ pData->iSizeLimit = (int) pvals[i].val.d.n; ++ } else if(!strcmp(actpblk.descr[i].name, "rotation.sizelimitcommand")) { ++ pData->pszSizeLimitCmd = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else { + dbgprintf("omfile: program error, non-handled " + "param '%s'\n", actpblk.descr[i].name); +-- +2.12.3 + diff --git a/backport-substring-function-enhancement-and-hardenin.patch b/backport-substring-function-enhancement-and-hardenin.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d9998090fac48576819431e372d3c823b5a841a --- /dev/null +++ b/backport-substring-function-enhancement-and-hardenin.patch @@ -0,0 +1,204 @@ +From 73b8ab6d97c4666f973ddcea2a6e42bf27dd4080 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Fri, 13 Jan 2023 13:14:40 +0100 +Subject: [PATCH] [backport] substring function: enhancement and hardening + +Now, length can have a negative value -n to denote that the +substring should be build between startpos and the character +-n chars from the end. This is a shortcut for stripping charactes +on "both ends" of the string. + +Also, some hardening against invalid startpos and length has +been added. + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/1e7abb8a1a7d8677141f0e37434d986c32345a4f + +--- +--- + grammar/rainerscript.c | 19 +++++++++++++++++-- + tests/Makefile.am | 10 ++++++++++ + tests/func-substring-invld-startpos-vg.sh | 3 +++ + tests/func-substring-invld-startpos.sh | 17 +++++++++++++++++ + tests/func-substring-large-endpos.sh | 17 +++++++++++++++++ + tests/func-substring-large-neg-endpos.sh | 17 +++++++++++++++++ + tests/func-substring-relative-endpos.sh | 17 +++++++++++++++++ + 7 files changed, 98 insertions(+), 2 deletions(-) + create mode 100755 tests/func-substring-invld-startpos-vg.sh + create mode 100755 tests/func-substring-invld-startpos.sh + create mode 100755 tests/func-substring-large-endpos.sh + create mode 100755 tests/func-substring-large-neg-endpos.sh + create mode 100755 tests/func-substring-relative-endpos.sh + +diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c +index 0ec18a6d7..c2c72999b 100644 +--- a/grammar/rainerscript.c ++++ b/grammar/rainerscript.c +@@ -2427,8 +2427,23 @@ doFunct_Substring(struct cnffunc *__restrict__ const func, + cnfexprEval(func->expr[1], &srcVal[1], usrptr, pWti); + cnfexprEval(func->expr[2], &srcVal[2], usrptr, pWti); + es_str_t *es = var2String(&srcVal[0], &bMustFree); +- const int start = var2Number(&srcVal[1], NULL); +- const int subStrLen = var2Number(&srcVal[2], NULL); ++ const int lenSrcStr = es_strlen(es); ++ int start = var2Number(&srcVal[1], NULL); ++ int subStrLen = var2Number(&srcVal[2], NULL); ++ if(start >= lenSrcStr) { ++ /* begin PAST the source string - ensure nothing is copied at all */ ++ start = subStrLen = 0; ++ } else { ++ if(subStrLen < 0) { ++ subStrLen = lenSrcStr + subStrLen; /* "add" negative offset! */ ++ if(subStrLen < 0) { ++ subStrLen = 0; ++ } ++ } ++ if(subStrLen > (lenSrcStr - start)) { ++ subStrLen = lenSrcStr - start; ++ } ++ } + + ret->datatype = 'S'; + ret->d.estr = es_newStrFromSubStr(es, (es_size_t)start, (es_size_t)subStrLen); +diff --git a/tests/Makefile.am b/tests/Makefile.am +index be9624179..1247b08ab 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -184,6 +184,10 @@ TESTS += \ + hostname-with-slash-pmrfc5424.sh \ + hostname-with-slash-pmrfc3164.sh \ + hostname-with-slash-dflt-invld.sh \ ++ func-substring-invld-startpos.sh \ ++ func-substring-large-endpos.sh \ ++ func-substring-large-neg-endpos.sh \ ++ func-substring-relative-endpos.sh \ + hostname-with-slash-dflt-slash-valid.sh \ + empty-app-name.sh \ + stop-localvar.sh \ +@@ -545,6 +549,7 @@ TESTS += \ + badqi.sh \ + threadingmq.sh \ + threadingmqaq.sh \ ++ func-substring-invld-startpos-vg.sh \ + rscript_trim-vg.sh + if ENABLE_LIBGCRYPT + TESTS += \ +@@ -1644,6 +1649,11 @@ EXTRA_DIST= \ + config_enabled-off.sh \ + empty-app-name.sh \ + empty-hostname.sh \ ++ func-substring-invld-startpos.sh \ ++ func-substring-invld-startpos-vg.sh \ ++ func-substring-large-endpos.sh \ ++ func-substring-large-neg-endpos.sh \ ++ func-substring-relative-endpos.sh \ + hostname-with-slash-pmrfc5424.sh \ + hostname-with-slash-pmrfc3164.sh \ + pmrfc3164-msgFirstSpace.sh \ +diff --git a/tests/func-substring-invld-startpos-vg.sh b/tests/func-substring-invld-startpos-vg.sh +new file mode 100755 +index 000000000..cbd3e555a +--- /dev/null ++++ b/tests/func-substring-invld-startpos-vg.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++export USE_VALGRIND="YES" ++source ${srcdir:-.}/func-substring-invld-startpos.sh +diff --git a/tests/func-substring-invld-startpos.sh b/tests/func-substring-invld-startpos.sh +new file mode 100755 +index 000000000..5f658e3fb +--- /dev/null ++++ b/tests/func-substring-invld-startpos.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# addd 2023-01-13 by RGerhards, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++generate_conf ++add_conf ' ++template(name="outfmt" type="string" string="data:%$!my_struc_data%\n") ++ ++set $!my_struc_data = substring($STRUCTURED-DATA, 2000, -3); ++local4.debug action(type="omfile" template="outfmt" file="'$RSYSLOG_OUT_LOG'") ++' ++startup ++injectmsg_literal '<167>1 2003-03-01T01:00:00.000Z hostname1 sender - tag [tcpflood@32473 MSGNUM="0"] data' ++shutdown_when_empty ++wait_shutdown ++export EXPECTED='data:' ++cmp_exact ++exit_test +diff --git a/tests/func-substring-large-endpos.sh b/tests/func-substring-large-endpos.sh +new file mode 100755 +index 000000000..78d5d7db8 +--- /dev/null ++++ b/tests/func-substring-large-endpos.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# addd 2023-01-13 by RGerhards, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++generate_conf ++add_conf ' ++template(name="outfmt" type="string" string="%$!my_struc_data%\n") ++ ++set $!my_struc_data = substring($STRUCTURED-DATA, 1, 99999999); ++local4.debug action(type="omfile" template="outfmt" file="'$RSYSLOG_OUT_LOG'") ++' ++startup ++injectmsg_literal '<167>1 2003-03-01T01:00:00.000Z hostname1 sender - tag [tcpflood@32473 MSGNUM="0"] data' ++shutdown_when_empty ++wait_shutdown ++export EXPECTED='tcpflood@32473 MSGNUM="0"]' ++cmp_exact ++exit_test +diff --git a/tests/func-substring-large-neg-endpos.sh b/tests/func-substring-large-neg-endpos.sh +new file mode 100755 +index 000000000..23344f074 +--- /dev/null ++++ b/tests/func-substring-large-neg-endpos.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# addd 2023-01-13 by RGerhards, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++generate_conf ++add_conf ' ++template(name="outfmt" type="string" string="data:%$!my_struc_data%\n") ++ ++set $!my_struc_data = substring($STRUCTURED-DATA, 1, -9999999); ++local4.debug action(type="omfile" template="outfmt" file="'$RSYSLOG_OUT_LOG'") ++' ++startup ++injectmsg_literal '<167>1 2003-03-01T01:00:00.000Z hostname1 sender - tag [tcpflood@32473 MSGNUM="0"] data' ++shutdown_when_empty ++wait_shutdown ++export EXPECTED='data:' ++cmp_exact ++exit_test +diff --git a/tests/func-substring-relative-endpos.sh b/tests/func-substring-relative-endpos.sh +new file mode 100755 +index 000000000..43c674598 +--- /dev/null ++++ b/tests/func-substring-relative-endpos.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# addd 2023-01-13 by RGerhards, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++generate_conf ++add_conf ' ++template(name="outfmt" type="string" string="%$!my_struc_data%\n") ++ ++set $!my_struc_data = substring($STRUCTURED-DATA, 1, -2); ++local4.debug action(type="omfile" template="outfmt" file="'$RSYSLOG_OUT_LOG'") ++' ++startup ++injectmsg_literal '<167>1 2003-03-01T01:00:00.000Z hostname1 sender - tag [tcpflood@32473 MSGNUM="0"] data' ++shutdown_when_empty ++wait_shutdown ++export EXPECTED='tcpflood@32473 MSGNUM="0"' ++cmp_exact ++exit_test +-- +2.12.3 + diff --git a/backport-support-sha256-for-StreamDriverAuthMode-x50.patch b/backport-support-sha256-for-StreamDriverAuthMode-x50.patch new file mode 100644 index 0000000000000000000000000000000000000000..941142acf149ef0cb4e301c70dc718d91b961db7 --- /dev/null +++ b/backport-support-sha256-for-StreamDriverAuthMode-x50.patch @@ -0,0 +1,159 @@ +From 7614f08d6e5688be750722c81567916159f99824 Mon Sep 17 00:00:00 2001 +From: cody +Date: Thu, 7 Jul 2022 16:11:43 +0200 +Subject: [PATCH] [backport] support sha256 for + StreamDriverAuthMode="x509/fingerprint" + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/8a52bf055394b38a0da609ea1104ca336e3d5252 + +--- +--- + runtime/nsd_gtls.c | 22 ++++++++++++++++++---- + runtime/nsd_ossl.c | 24 +++++++++++++++++++----- + 2 files changed, 37 insertions(+), 9 deletions(-) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index da549d728..f1dcaf22b 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -493,7 +493,7 @@ print_info(nsd_gtls_t *pThis) + * rgerhards, 2008-05-08 + */ + static rsRetVal +-GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) ++GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr, const char* prefix) + { + cstr_t *pStr = NULL; + uchar buf[4]; +@@ -501,7 +501,7 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) + DEFiRet; + + CHKiRet(rsCStrConstruct(&pStr)); +- CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*)"SHA1", 4)); ++ CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*) prefix, strlen(prefix))); + for(i = 0 ; i < sizeFingerprint ; ++i) { + snprintf((char*)buf, sizeof(buf), ":%2.2X", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); +@@ -922,8 +922,11 @@ static rsRetVal + gtlsChkPeerFingerprint(nsd_gtls_t *pThis, gnutls_x509_crt_t *pCert) + { + uchar fingerprint[20]; ++ uchar fingerprintSha256[32]; + size_t size; ++ size_t sizeSha256; + cstr_t *pstrFingerprint = NULL; ++ cstr_t *pstrFingerprintSha256 = NULL; + int bFoundPositiveMatch; + permittedPeers_t *pPeer; + int gnuRet; +@@ -933,17 +936,27 @@ gtlsChkPeerFingerprint(nsd_gtls_t *pThis, gnutls_x509_crt_t *pCert) + + /* obtain the SHA1 fingerprint */ + size = sizeof(fingerprint); ++ sizeSha256 = sizeof(fingerprintSha256); + CHKgnutls(gnutls_x509_crt_get_fingerprint(*pCert, GNUTLS_DIG_SHA1, fingerprint, &size)); +- CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); ++ CHKgnutls(gnutls_x509_crt_get_fingerprint(*pCert, GNUTLS_DIG_SHA256, fingerprintSha256, &sizeSha256)); ++ CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint, "SHA1")); ++ CHKiRet(GenFingerprintStr(fingerprintSha256, sizeSha256, &pstrFingerprintSha256, "SHA256")); + dbgprintf("peer's certificate SHA1 fingerprint: %s\n", cstrGetSzStrNoNULL(pstrFingerprint)); ++ dbgprintf("peer's certificate SHA256 fingerprint: %s\n", cstrGetSzStrNoNULL(pstrFingerprintSha256)); ++ + + /* now search through the permitted peers to see if we can find a permitted one */ + bFoundPositiveMatch = 0; + pPeer = pThis->pPermPeers; + while(pPeer != NULL && !bFoundPositiveMatch) { + if(!rsCStrSzStrCmp(pstrFingerprint, pPeer->pszID, strlen((char*) pPeer->pszID))) { ++ dbgprintf("gtlsChkPeerFingerprint: peer's certificate SHA1 MATCH found: %s\n", pPeer->pszID); + bFoundPositiveMatch = 1; +- } else { ++ } else if(!rsCStrSzStrCmp(pstrFingerprintSha256 , pPeer->pszID, strlen((char*) pPeer->pszID))) { ++ dbgprintf("gtlsChkPeerFingerprint: peer's certificate SHA256 MATCH found: %s\n", pPeer->pszID); ++ bFoundPositiveMatch = 1; ++ } ++ else { + pPeer = pPeer->pNext; + } + } +@@ -2384,3 +2397,4 @@ CODESTARTmodInit + ENDmodInit + /* vi:set ai: + */ ++ +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index 5d8ebd86c..d3eb643f7 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -387,7 +387,7 @@ long BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *a + * rgerhards, 2008-05-08 + */ + static rsRetVal +-GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) ++GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr, const char* prefix) + { + cstr_t *pStr = NULL; + uchar buf[4]; +@@ -395,7 +395,7 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) + DEFiRet; + + CHKiRet(rsCStrConstruct(&pStr)); +- CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*)"SHA1", 4)); ++ CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*) prefix, strlen(prefix))); + for(i = 0 ; i < sizeFingerprint ; ++i) { + snprintf((char*)buf, sizeof(buf), ":%2.2X", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); +@@ -613,11 +613,15 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert) + unsigned int n; + uchar *fromHostIP = NULL; + uchar fingerprint[20 /*EVP_MAX_MD_SIZE**/]; ++ uchar fingerprintSha256[32 /*EVP_MAX_MD_SIZE**/]; + size_t size; ++ size_t sizeSha256; + cstr_t *pstrFingerprint = NULL; ++ cstr_t *pstrFingerprintSha256 = NULL; + int bFoundPositiveMatch; + permittedPeers_t *pPeer; + const EVP_MD *fdig = EVP_sha1(); ++ const EVP_MD *fdigSha256 = EVP_sha256(); + + ISOBJ_TYPE_assert(pThis, nsd_ossl); + +@@ -627,17 +631,27 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert) + dbgprintf("osslChkPeerFingerprint: error X509cert is not valid!\n"); + ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); + } +- +- CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); ++ sizeSha256 = sizeof(fingerprintSha256); ++ if (!X509_digest(pCert,fdigSha256,fingerprintSha256,&n)) { ++ dbgprintf("osslChkPeerFingerprint: error X509cert is not valid!\n"); ++ ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); ++ } ++ CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint, "SHA1")); + dbgprintf("osslChkPeerFingerprint: peer's certificate SHA1 fingerprint: %s\n", + cstrGetSzStrNoNULL(pstrFingerprint)); ++ CHKiRet(GenFingerprintStr(fingerprintSha256, sizeSha256, &pstrFingerprintSha256, "SHA256")); ++ dbgprintf("osslChkPeerFingerprint: peer's certificate SHA256 fingerprint: %s\n", ++ cstrGetSzStrNoNULL(pstrFingerprintSha256)); + + /* now search through the permitted peers to see if we can find a permitted one */ + bFoundPositiveMatch = 0; + pPeer = pThis->pPermPeers; + while(pPeer != NULL && !bFoundPositiveMatch) { + if(!rsCStrSzStrCmp(pstrFingerprint, pPeer->pszID, strlen((char*) pPeer->pszID))) { +- dbgprintf("osslChkPeerFingerprint: peer's certificate MATCH found: %s\n", pPeer->pszID); ++ dbgprintf("osslChkPeerFingerprint: peer's certificate SHA1 MATCH found: %s\n", pPeer->pszID); ++ bFoundPositiveMatch = 1; ++ } else if(!rsCStrSzStrCmp(pstrFingerprintSha256, pPeer->pszID, strlen((char*) pPeer->pszID))) { ++ dbgprintf("osslChkPeerFingerprint: peer's certificate SHA256 MATCH found: %s\n", pPeer->pszID); + bFoundPositiveMatch = 1; + } else { + dbgprintf("osslChkPeerFingerprint: NOMATCH peer certificate: %s\n", pPeer->pszID); +-- +2.12.3 + diff --git a/rsyslog.spec b/rsyslog.spec index c3a7ef9fcbf245b83065d402fb085bd32c6cd23e..66a453e0e49987782e193c5348f58c34f75104e3 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -55,6 +55,19 @@ Patch6019: backport-add-test-for-legacy-permittedPeer-statement.patch Patch6020: backport-imtcp-bugfix-legacy-config-directives-did-no-longer-work.patch Patch6021: backport-core-bugfix-template-system-may-generate-invalid-json.patch Patch6022: backport-omprog-bugfix-invalid-status-handling-at-called-prog.patch +Patch6023: backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch +Patch6024: backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch +Patch6025: backport-imptcp-slight-tuning.patch +Patch6026: backport-imtcp-add-option-notifyonconnectionopen.patch +Patch6027: backport-imjournal-add-second-fallback-to-_COMM.patch +Patch6028: backport-bugfix-prevent-pot.-segfault-when-switchung.patch +Patch6029: backport-substring-function-enhancement-and-hardenin.patch +Patch6030: backport-core-template-implement-negative-position.t.patch +Patch6031: backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch +Patch6032: backport-imptcp-bugfix-spam-log-on-oversize-message.patch +Patch6033: backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch +Patch6034: backport-support-sha256-for-StreamDriverAuthMode-x50.patch +Patch6035: backport-omfile-add-action-parameters-rotation.patch BuildRequires: gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool BuildRequires: libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel @@ -529,6 +542,24 @@ done %{_mandir}/man1/rscryutil.1.gz %changelog +* Thu Jun 15 2023 linzhuorong - 8.2110.0-16 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:OpenSSL: fix depreacted API issues for OpenSSL 3.x + MMDBLOOKUP::FIXED:: Don't crash Rsyslog on mmdb + imptcp: slight tuning + imtcp: add option notifyonconnectionopen + imjournal: add second fallback to _COMM + bugfix: prevent pot. segfault when switchung to + substring function: enhancement and hardening + core/template: implement negative position.to + core/bugfix: using $uuid msg prop can deadlock rsyslog on shutdown + imptcp bugfix: spam log on oversize message + GNUTls Driver: Fix memory leaks in gtlsInitCred + support sha256 for StreamDriverAuthMode="x509/fingerprint" + omfile: add action parameters "rotation.*" + * Tue Jun 6 2023 zhangqiumiao - 8.2110.0-15 - Type:NA - ID:NA