It's possible for a client submitting syslog data which is malformed in various ways to convince SyslogUtils.extractEvent to continually fill the ByteArrayOutputStream it uses to collect the event until the agent runs out of memory. Since the OOM condition affects the whole agent, it's possible that a client sending such data (due to accident or malicious intent) to disable the agent, as long as it remains connected.
Note that this is probably only possible using SyslogTcpSource although the fix touches common code in SyslogUtils.java.
The issue can happen in two ways:
Scenario 1: Send a message like this:
<> some more stuff here
This causes a NumberFormatException:
This exception does not get handled, and it happens before reset() can be called. The result is that the state machine in SyslogUtils gets stuck in the DATA state, and all subsequent data just gets appended to the baos, while the above exception streams to the log. Eventually the agent runs out of memory.
Scenario 2: Send some data like this:
No length checking is done in the PRIO state so you could potentially fill the agent memory this way too.
I'm attaching a patch which handles both of these issues and adds more exception handling to buildEvent to make sure that reset() is called in future unforeseen situations.
Thanks also to Roshan Naik for helping to make this patch better.