LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author] [stats]

  From: Alan Kennington <akenning@dog.topology.org>
  To  : Jake Hawkes <jake@infinitylimited.net>
  Date: Sun, 22 Apr 2001 07:27:08 +0930

Re: verb bad file system or sendmail/procmail error!#$@

On Sat, Apr 21, 2001 at 09:38:26PM +0000, Jake Hawkes wrote:
> Alan Kennington wrote:
> > 
> > This is now looking more like a real problem and less like
> > a glitch.
> > Every now and then, a log file (of which I have dozens)
> > on my shiny new SuSE 7.1 (kernel 2.4.0) machine with
> > a ReiserFS file system develops a block of nulls.
> > This is clearly due to some sort of incomplete closing of a file
> > or something.
> > 
> > Here's a sample from my incoming e-mail folder:
> > 
> > ===============================================================
> > 
> > I'm assuming that the basename function you wrote is the
> > same as that provided in /usr/include/^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^<....>
> 
> Isn't this a buffer overflow attempt? I'm sure that I've seen this
> before when trying to do bad things with ftp.


Jake,

I don't think so.
All the buffer overflow attempts I've seen before contain
a long string Intel CPU no-op commands, which are 0x90 or something
like that. These characters which I see are nulls.

The nulls in this case have overwritten the incoming e-mail folder -
not appended to it. And besides, I can't think why procmail (which is
used for local mail delivery in SuSE distributions) would back-track
in the mail folder and overwrite with nulls.

I also see these blocks of nulls occasionally in http log files.

Oddly, in this case the nulls are not block-aligned.
In "od -ah", I get this:

=================================================================
0004740   d  sp   i   n  sp   /   u   s   r   /   i   n   c   l   u   d
        2064 6e69 2f20 7375 2f72 6e69 6c63 6475
0004760   e   / nul nul nul nul nul nul nul nul nul nul nul nul nul nul
        2f65 0000 0000 0000 0000 0000 0000 0000
0005000 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
        0000 0000 0000 0000 0000 0000 0000 0000
*
0007440 nul nul nul nul nul   F   r   o   m  sp   G   s   t  [...]
        0000 0000 4600 6f72 206d 7347 [...]  
=================================================================

This is clearly not block-aligned.
The total number of nulls seems to be 
07445 - 04762 = 3877 - 2546 = 1331 bytes.

Hmmm. This doesn't look like a file-system sort of thing.
Except that it also occurs in the httpd log files.

The only time I've seen any corruption in incoming mail folders
before is when two processes are trying to modify the folder
at the same time, and that isn't the case here.

Cheers, and thanks,
Alan Kennington.

--------------------------------------------------------------------
    name: Dr. Alan Kennington
  e-mail: akenning@topology.org
 website: http://topology.org/
    city: Adelaide, South Australia
  coords: 34.88051 S, 138.59334 E
timezone: UTC+0930 http://topology.org/timezone.html
 pgp-key: http://topology.org/key_ak2.asc

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author] [stats]

Return to the LinuxSA Mailing List Information Page