#153 Sarg 2.3.5/2.3.6/2.3.7 - *** buffer overflow detected ***: /usr/bin/sarg terminated

[fregati]

Hello.

I'm running /usr/bin/sarg -z -x -f /etc/sarg/sarg.conf -d 01/05/2013-31/05/2013 -o /srv/www/sarg/Monthly/ -l /var/log/squid/may/access-may.log

• First: Read file OK...

SARG: sarg version: 2.3.7 May-30-2013
SARG: Reading access log file: /var/log/squid/may/access-may.log
SARG: Records in file: 21150684, reading: 100.00%
SARG: Records read: 21150684, written: 20771309, excluded: 128378
SARG: Squid log format
SARG: Period covered by log files: 01/05/2013-31/05/2013
SARG: (info) date=31/05/2013
SARG: (info) period=01 May 2013-31 May 2013
SARG: Period: 01 May 2013-31 May 2013

• Second: Sort file OK...

Sort files terminated by on this case...
........
SARG: Sorting log /tmp/sarg/sarg/192_168_3_54.user_unsort
SARG: Making file: /tmp/sarg/sarg/192_168_3_54
SARG: (info) Dansguardian report not produced because no dansguardian configuration file was provided
SARG: (info) No redirector logs provided to produce that kind of report

• Third: Crash sarg with...

buffer overflow detected : /usr/bin/sarg terminated
======= Backtrace: =========
/lib64/libc.so.6(fortify_fail+0x37)[0x7ffff714c9d7]
/lib64/libc.so.6(+0xf7af0)[0x7ffff714aaf0]
/lib64/libc.so.6(+0xf6f79)[0x7ffff7149f79]
/lib64/libc.so.6(_IO_default_xsputn+0x89)[0x7ffff70c9349]
/lib64/libc.so.6(_IO_vfprintf+0x2392)[0x7ffff7099922]
/lib64/libc.so.6(vsprintf_chk+0x97)[0x7ffff714a017]
/lib64/libc.so.6(sprintf_chk+0x7d)[0x7ffff7149f5d]
/usr/bin/sarg[0x40a6e8]
/usr/bin/sarg[0x412311]
/usr/bin/sarg[0x40fd27]
/usr/bin/sarg[0x408ad5]
/lib64/libc.so.6(libc_start_main+0xf5)[0x7ffff7074455]
/usr/bin/sarg[0x408bad]
======= Memory map: ========
00400000-0043d000 r-xp 00000000 ca:03 557480 /usr/bin/sarg
0063c000-0063d000 r--p 0003c000 ca:03 557480 /usr/bin/sarg
0063d000-0063e000 rw-p 0003d000 ca:03 557480 /usr/bin/sarg
0063e000-00945000 rw-p 00000000 00:00 0 [heap]
7ffff46cb000-7ffff46e0000 r-xp 00000000 ca:03 1700711 /lib64/libgcc_s.so.1
7ffff46e0000-7ffff48df000 ---p 00015000 ca:03 1700711 /lib64/libgcc_s.so.1
7ffff48df000-7ffff48e0000 r--p 00014000 ca:03 1700711 /lib64/libgcc_s.so.1
7ffff48e0000-7ffff48e1000 rw-p 00015000 ca:03 1700711 /lib64/libgcc_s.so.1
...........

I realized that this occurs only when a website repeated for a large amount of time for a user or IP. If I eliminate this log, he is completed.

For example:
cat access-may.log | grep "192.168.3.54\ TCP_MISS\/404\ 1967\ GET\ http\:\/\/xxxxx.com.br" | wc -l
Result: 1249512

I was tested with versions 2.3.5, 2.3.6 and 2.3.7. The same problem occurs in several months of logs when there is a large amount of site per user or IP.

Tanks.

Best regards.

Ricardo Fregati

[Frederic Marchal]

Hello Ricardo,

I can't reproduce that problem. It may be due to an option in your sarg.conf.

Can you send /etc/sarg/sarg.conf to me please (fmarchal at users.sourceforge.net) ?

According to your backtrace, the problem is in a sprintf but I don't know which one. Can you build sarg with debug symbols; reproduce the same problem under gdb and post the backtrace please? If you know how to do this, it could spare me some time trying to reproduce the problem.

[Frederic Marchal]

Does sarg segfault too if it only processes the lines that are repeated many times:

grep "192.168.3.54\ TCP_MISS\/404\ 1967\ GET\ http\:\/\/xxxxx.com.br" access-may.log | /usr/bin/sarg -z -x -f /etc/sarg/sarg.conf -d 01/05/2013-31/05/2013 -o /srv/www/sarg/Monthly/ -l -

You may want to change the output directory (-o option) to keep any existing report unchanged.

[CESARINE Marc]

Hi Frederic,

I'm encountering same issue. When processing monthly reporting, sarg is crashing with same output (buffer overflow). My access.log file to scan is 14G big.
I tested with 2.2.6 and 2.3.7 versions of sarg.

I compiled with debug symbols (CXXFLAGS="-g -O2") and ran it with gdb but didn't get any debug trace.
See below my gdb output

~~~~~~
root@sf12vm67-rennes:~/sarg/sarg-2.3.7# gdb --args /usr/local/bin/sarg -d 01/06/2013-30/06/2013 -o /var/www/squid-reports//monthly -f /etc/sarg/sarg.conf
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/bin/sarg...done.
(gdb) run
Starting program: /usr/local/bin/sarg -d 01/06/2013-30/06/2013 -o /var/www/squid-reports//monthly -f /etc/sarg/sarg.conf
SARG: Option inconnue : language French
SARG: Option inconnue : resolve_ip

SARG: Période couverte par les journaux : 01/06/2013-30/06/2013

buffer overflow detected : /usr/local/bin/sarg terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(fortify_fail+0x50)[0xb7ec92d0]
/lib/tls/i686/cmov/libc.so.6(+0xe120a)[0xb7ec820a]
/lib/tls/i686/cmov/libc.so.6(+0xe0948)[0xb7ec7948]
/lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0x9e)[0xb7e506ce]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0xf3e)[0xb7e24b4e]
/lib/tls/i686/cmov/libc.so.6(vsprintf_chk+0xad)[0xb7ec79fd]
/lib/tls/i686/cmov/libc.so.6(sprintf_chk+0x2d)[0xb7ec793d]
/usr/local/bin/sarg[0x804b60b]
/usr/local/bin/sarg[0x805bf66]
/usr/local/bin/sarg[0x8059801]
/usr/local/bin/sarg[0x8056d02]
/lib/tls/i686/cmov/libc.so.6(libc_start_main+0xe6)[0xb7dfdbd6]
/usr/local/bin/sarg[0x8049ee1]
======= Memory map: ========
08048000-0808a000 r-xp 00000000 fb:01 78119 /usr/local/bin/sarg
0808a000-0808b000 r--p 00041000 fb:01 78119 /usr/local/bin/sarg
0808b000-08091000 rw-p 00042000 fb:01 78119 /usr/local/bin/sarg
08091000-082ff000 rw-p 00000000 00:00 0 [heap]
[...]
b7fa9000-b7fd8000 r-xp 00000000 fb:01 2022 /lib/libpcre.so.3.12.1
b7fd8000-b7fd9000 r--p 0002e000 fb:01 2022 /lib/libpcre.so.3.12.1
b7fd9000-b7fda000 rw-p 0002f000 fb:01 2022 /lib/libpcre.so.3.12.1
b7fda000-b7fdb000 r--p 00000000 fb:01 15311 /usr/lib/locale/fr_FR.utf8/LC_NAME
b7fdb000-b7fdc000 r--p 00000000 fb:01 15342 /usr/lib/locale/fr_FR.utf8/LC_ADDRESS
b7fdc000-b7fdd000 r--p 00000000 fb:01 15343 /usr/lib/locale/fr_FR.utf8/LC_TELEPHONE
Program received signal SIGABRT, Aborted.
0xb7fe2430 in __kernel_vsyscall ()
(gdb)
(gdb) quit
A debugging session is active.

    Inferior 1 [process 24683] will be killed.

Quit anyway? (y or n) y
root@sf12vm67-rennes:~/sarg/sarg-2.3.7#
~~~~~~~~~~

[CESARINE Marc]

The problem occured with sprintf in util.c:628 in buildtime function.

In our case elap value was 373662154752 and buffer is too small. I upgraded size from 12 to 13 and it is working now.

[Frederic Marchal]

Thank you Marc. I fixed it along with a few suspiciously similar sprintf.

The commit can be viewed in https://sourceforge.net/p/sarg/code/ci/60ec7f09b5d223c9e36f26c2ceed9955c615a86f/