bin/40043: syslogd timestamping & protocol version parsing problems

[gcw%primenet.com.au@localhost]

>Number:         40043
>Category:       bin
>Synopsis:       syslogd timestamping and protocol parsing deficiencies
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 27 04:50:00 +0000 2008
>Originator:     Geoff C. Wing
>Release:        NetBSD 5.99.3
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 5.99.3 NetBSD 5.99.3 (G) #0: Thu Nov 27 
12:14:12 EST 2008 
gcw%g.primenet.com.au@localhost:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
        Syslogd does not properly handle:

        1) the ADDDATE flag which is set with -T invocation and when messages
           come from the kernel.  Other cases where it is set it is ignored
           as timestamping is always done (e.g. logmsg_async())

        2) the variable found_ts in check_timestamp().  It would determine
           whether or not the message had a (possibly valid) timestamp, set
           found_ts to true, then ignore that in most cases.  If we can't find
           a timestamp return.

        3) messages without a parsable timestamp should get one when outputting
           the BSD syslog format so that a syslog-protocol timestamp isn't
           injected (chopped off with BSD syslog length) giving something like:
            "2008-11-27T15:0 cisco -: 1790:"
             ^ time might have been 2008-11-27T15:02:35.296497+11:00

        4) syslog protocol version checking only checked for a leading numeral
           one (1) then skipped two places (presuming a space).  Messages sent
           from some sources (e.g. my cisco) may be
             "1795: Nov 27 04:12:52: %LINEPROTO-5-..."
           which would be chopped to
               "95: Nov 27 04:12:52: %LINEPROTO-5-..."

>How-To-Repeat:
        Use it

>Fix:
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.93
diff -u -r1.93 syslogd.c
--- usr.sbin/syslogd/syslogd.c  7 Nov 2008 15:42:01 -0000       1.93
+++ usr.sbin/syslogd/syslogd.c  27 Nov 2008 04:36:00 -0000
@@ -1025,10 +1025,17 @@
 
        buffer = buf_msg_new(0);
        p = msg;
-       start = p += check_timestamp((unsigned char*) p,
+       p += check_timestamp((unsigned char*) p,
                &buffer->timestamp, true, !BSDOutputFormat);
        DPRINTF(D_DATA, "Got timestamp \"%s\"\n", buffer->timestamp);
 
+       if (flags & ADDDATE) {
+               FREEPTR(buffer->timestamp);
+               buffer->timestamp = strdup(make_timestamp(NULL,
+                       !BSDOutputFormat));
+       }
+
+       start = p;
        NEXTFIELD(p);
        /* extract host */
        for (start = p;; p++) {
@@ -1235,10 +1242,16 @@
 
        buffer = buf_msg_new(0);
        p = msg;
-       start = p += check_timestamp((unsigned char*) p,
+       p += check_timestamp((unsigned char*) p,
                &buffer->timestamp, false, !BSDOutputFormat);
        DPRINTF(D_DATA, "Got timestamp \"%s\"\n", buffer->timestamp);
 
+       if (flags & ADDDATE || !buffer->timestamp) {
+               FREEPTR(buffer->timestamp);
+               buffer->timestamp = strdup(make_timestamp(NULL,
+                       !BSDOutputFormat));
+       }
+
        if (*p == ' ') p++; /* SP */
        else goto all_bsd_msg;
        /* in any error case we skip header parsing and
@@ -1451,7 +1464,8 @@
                if (*q == '>' && n >= 0 && n < INT_MAX && errno == 0) {
                        p = q + 1;
                        pri = (int)n;
-                       if (*p == '1') { /* syslog-protocol version */
+                       /* check for syslog-protocol version */
+                       if (*p == '1' && p[1] == ' ') {
                                p += 2;  /* skip version and space */
                                bsdsyslog = false;
                        } else {
@@ -1676,21 +1690,24 @@
                    && islower(from_buf[2]))
                        found_ts = true;
        }
-       if (!found_ts && from_buf[0] == '-' && from_buf[1] == ' ') {
-               /* NILVALUE */
-               if (to_iso) {
-                       /* with ISO = syslog-protocol output leave
-                        * it as is, because it is better to have
-                        * no timestamp than a wrong one.
-                        */
-                       *to_buf = strdup("-");
-               } else {
-                       /* with BSD Syslog the field is reqired
-                        * so replace it with current time
-                        */
-                        *to_buf = strdup(make_timestamp(NULL, false));
+       if (!found_ts) {
+               if (from_buf[0] == '-' && from_buf[1] == ' ') {
+                       /* NILVALUE */
+                       if (to_iso) {
+                               /* with ISO = syslog-protocol output leave
+                                * it as is, because it is better to have
+                                * no timestamp than a wrong one.
+                                */
+                               *to_buf = strdup("-");
+                       } else {
+                               /* with BSD Syslog the field is reqired
+                                * so replace it with current time
+                                */
+                               *to_buf = strdup(make_timestamp(NULL, false));
+                       }
+                       return 2;
                }
-               return 2;
+               return 0;
        }
 
        if (!from_iso && !to_iso) {