Skip to content

Commit 78cecb4

Browse files
therealbobotherealbobo
committed
fix(csysdig): don't let syslog parse enter events
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
1 parent 0d3e86d commit 78cecb4

File tree

2 files changed

+40
-16
lines changed

2 files changed

+40
-16
lines changed

userspace/sysdig/csysdig.cpp

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -283,7 +283,17 @@ captureinfo do_inspect(sinsp* inspector,
283283

284284
syslog_decoder->reset();
285285
res = inspector->next(&ev);
286-
syslog_decoder->parse(ev);
286+
if (ev)
287+
{
288+
const uint16_t etype = ev->get_scap_evt()->type;
289+
if (etype == PPME_SYSCALL_WRITE_X || etype == PPME_SYSCALL_WRITEV_X ||
290+
etype == PPME_SYSCALL_PWRITE_X || etype == PPME_SYSCALL_PWRITEV_X ||
291+
etype == PPME_SOCKET_SEND_X || etype == PPME_SOCKET_SENDTO_X ||
292+
etype == PPME_SOCKET_SENDMSG_X || etype == PPME_SOCKET_SENDMMSG_X)
293+
{
294+
syslog_decoder->parse(ev);
295+
}
296+
}
287297

288298
if(res == SCAP_TIMEOUT || res == SCAP_FILTERED_EVENT)
289299
{

userspace/sysdig/utils/sinsp_syslog.cpp

Lines changed: 29 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -76,30 +76,44 @@ std::string sinsp_syslog_decoder::get_info_line() const {
7676
}
7777

7878
void sinsp_syslog_decoder::parse(sinsp_evt* evt) {
79-
if(!evt || !evt->get_fd_info()) {
79+
const sinsp_evt_param *parinfo;
80+
int64_t retval;
81+
ppm_event_flags eflags = evt->get_info_flags();
82+
uint16_t etype = evt->get_scap_evt()->type;
83+
84+
if((etype == PPME_SOCKET_SENDMMSG_X || etype == PPME_SOCKET_RECVMMSG_X) &&
85+
evt->get_num_params() == 0) {
8086
return;
8187
}
82-
88+
//
89+
// Extract the return value
90+
//
91+
retval = evt->get_syscall_return_value();
92+
93+
if (retval < 0) {
94+
return;
95+
}
96+
8397
// Check if this is a syslog fd
84-
if(!evt->get_fd_info()->is_syslog()) {
98+
if(evt->get_fd_info() == nullptr || !evt->get_fd_info()->is_syslog()) {
8599
return;
86100
}
87101

102+
if(!(eflags & EF_READS_FROM_FD)) {
103+
return;
104+
}
105+
88106
// Extract the data buffer based on event type
89-
uint16_t etype = evt->get_type();
90-
const sinsp_evt_param* parinfo = nullptr;
107+
parinfo = nullptr;
91108

92109
// Determine which parameter contains the data based on event type
93-
if(etype == PPME_SOCKET_SENDMMSG_X) {
94-
parinfo = evt->get_param(2);
95-
} else if(etype == PPME_SYSCALL_READV_X || etype == PPME_SYSCALL_PREADV_X ||
96-
etype == PPME_SOCKET_RECVMSG_X) {
97-
parinfo = evt->get_param(2);
98-
} else if(etype == PPME_SOCKET_RECVMMSG_X) {
99-
parinfo = evt->get_param(3);
100-
} else {
101-
parinfo = evt->get_param(1);
102-
}
110+
if(etype == PPME_SOCKET_RECVMSG_X) {
111+
parinfo = evt->get_param(2);
112+
} else if(etype == PPME_SOCKET_RECVMMSG_X || etype == PPME_SOCKET_SENDMMSG_X) {
113+
parinfo = evt->get_param(3);
114+
} else {
115+
parinfo = evt->get_param(1);
116+
}
103117

104118
if(parinfo) {
105119
const char* data = parinfo->m_val;

0 commit comments

Comments
 (0)