From 1dfa5f9d836d2153fb76bcbbb235cf5bfdff538b Mon Sep 17 00:00:00 2001
From: "Konstantin J. Chernov" <>
Date: Mon, 17 Apr 2023 13:22:29 +0200
Subject: [PATCH] core bugfix: potential segfault on busy systems

This was discovered by Konstantin J. Chernov in a practicaly deployment.
Here, msg object tag processing caused sporadic segfaults. We did not
hear from similiar cases, but there clearly is potential for problems
because a mutex lock had insufficient range, thus leading to a potential
race.

The patch is directly from Konstantin J. Chernov, thanks for that.

Please note that the mutex lock could be minimized as it is not strictly
needed for the pM == NULL case, but this cause is extremely exotic
and the resulting code would be harder to understand. Thus we opt
to do the locking on funtion level (as usual).

Descriptiond edited by Rainer Gerhards

closes: https://github.com/rsyslog/rsyslog/issues/5110

Reference:https://github.com/rsyslog/rsyslog/commit/1dfa5f9d836d2153fb76bcbbb235cf5bfdff538b
Conflict:NA
---
 runtime/msg.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/runtime/msg.c b/runtime/msg.c
index 03511d3f82..b35bc1dfd2 100644
--- a/runtime/msg.c
+++ b/runtime/msg.c
@@ -2552,12 +2552,15 @@ tryEmulateTAG(smsg_t *const pM, const sbool bLockMutex)
 void ATTR_NONNULL(2,3)
 getTAG(smsg_t * const pM, uchar **const ppBuf, int *const piLen, const sbool bLockMutex)
 {
+	if(bLockMutex == LOCK_MUTEX)
+		MsgLock(pM);
+
 	if(pM == NULL) {
 		*ppBuf = UCHAR_CONSTANT("");
 		*piLen = 0;
 	} else {
 		if(pM->iLenTAG == 0)
-			tryEmulateTAG(pM, bLockMutex);
+			tryEmulateTAG(pM, MUTEX_ALREADY_LOCKED);
 		if(pM->iLenTAG == 0) {
 			*ppBuf = UCHAR_CONSTANT("");
 			*piLen = 0;
@@ -2566,6 +2569,9 @@ getTAG(smsg_t * const pM, uchar **const ppBuf, int *const piLen, const sbool bLo
 			*piLen = pM->iLenTAG;
 		}
 	}
+
+	if(bLockMutex == LOCK_MUTEX)
+		MsgUnlock(pM);
 }