Re: [Nagios-devel] [PATCH] NRPE buffer overflow fix
Posted: Mon Mar 10, 2008 1:09 pm
Tobias Klausmann wrote:
> Hi!
>
> Quite a while ago (December 31st), Krzysztof Oledzki[0] sent a
> patch to -devel that fixes the buffer overflow in command output
> handling for NRPE.
>
> Back in the 2.x days, one could think of this as merely a
> nuisance: after the \n, there were extra characters, usually
> random. While still a glaring bug, it usually didn't impede
> Nagios functions. This was due to Nagios ignoring everything
> after the first \n.
>
> With 3.x, though, multiline support was introduced and Nagios
> cares about (or at least carries on) stuff after the first \n.
> This has several consequences.
>
> First, the garbage is displayed in the web frontend.
>
> Second, the CGIs sometimes barf on those random chars, resulting
> in a segfault and, correspondingly, an internal server error for
> Apache. It might be a good idea to check the CGIs - they
> shouldn't simply die on random chars in the status file).
>
> Bottom line: *please* apply Krzysztofs patch to the NRPE code
> base. It fixes a hair raising bug and cleanly applies for both
> 2.10 and 2.11.
>
> Regards,
> Tobias
>
> PS: I've attached Krzysztofs patch again to spare you searching
> the archives.
>
> [0] [email protected]
>
Thanks for the reminder - I just released 2.12 with this fix included.
Ethan Galstad
Nagios Developer
___
Email: [email protected]
Web: www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> Hi!
>
> Quite a while ago (December 31st), Krzysztof Oledzki[0] sent a
> patch to -devel that fixes the buffer overflow in command output
> handling for NRPE.
>
> Back in the 2.x days, one could think of this as merely a
> nuisance: after the \n, there were extra characters, usually
> random. While still a glaring bug, it usually didn't impede
> Nagios functions. This was due to Nagios ignoring everything
> after the first \n.
>
> With 3.x, though, multiline support was introduced and Nagios
> cares about (or at least carries on) stuff after the first \n.
> This has several consequences.
>
> First, the garbage is displayed in the web frontend.
>
> Second, the CGIs sometimes barf on those random chars, resulting
> in a segfault and, correspondingly, an internal server error for
> Apache. It might be a good idea to check the CGIs - they
> shouldn't simply die on random chars in the status file).
>
> Bottom line: *please* apply Krzysztofs patch to the NRPE code
> base. It fixes a hair raising bug and cleanly applies for both
> 2.10 and 2.11.
>
> Regards,
> Tobias
>
> PS: I've attached Krzysztofs patch again to spare you searching
> the archives.
>
> [0] [email protected]
>
Thanks for the reminder - I just released 2.12 with this fix included.
Ethan Galstad
Nagios Developer
___
Email: [email protected]
Web: www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]