[Nagios-devel] [PATCH] Fix memory corruption caused by a backslashes
Posted: Mon Apr 06, 2009 11:09 pm
This is a multi-part message in MIME format.
--------------050709000700020702060300
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Greetings,
The function unescape_newlines in cgi/cgiutils.c will blindly unescape
any character preceded by the backslash by taking the value of the next
character and incrementing to skip over it. This happens even when that
next character is the terminating null, causing the loop to continue on
corrupting memory until it hits another null character. The attached
patch should fix this issue. It is against 3.0.6 but should still apply
to the latest code.
This bug is triggered when any plugin's output ends with a backslash
which has been reported at least a couple times, most recently here:
http://thread.gmane.org/gmane.network.n ... focus=6117
Cheers,
--
Michael Marineau
ITA Software
--------------050709000700020702060300
Content-Type: text/x-patch;
name="nagios-3.0.6-fix-trailing-backslash.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nagios-3.0.6-fix-trailing-backslash.patch"
--- nagios-3.0.6/cgi/cgiutils.c.orig 2009-04-06 19:29:13.000000000 -0400
+++ nagios-3.0.6/cgi/cgiutils.c 2009-04-06 19:30:29.000000000 -0400
@@ -788,7 +788,7 @@
}
/* unescape backslashes and other stuff */
- else{
+ if(rawbuf[x+1]!='\x0'){
rawbuf[y++]=rawbuf[x+1];
x++;
}
--------------050709000700020702060300--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
--------------050709000700020702060300
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Greetings,
The function unescape_newlines in cgi/cgiutils.c will blindly unescape
any character preceded by the backslash by taking the value of the next
character and incrementing to skip over it. This happens even when that
next character is the terminating null, causing the loop to continue on
corrupting memory until it hits another null character. The attached
patch should fix this issue. It is against 3.0.6 but should still apply
to the latest code.
This bug is triggered when any plugin's output ends with a backslash
which has been reported at least a couple times, most recently here:
http://thread.gmane.org/gmane.network.n ... focus=6117
Cheers,
--
Michael Marineau
ITA Software
--------------050709000700020702060300
Content-Type: text/x-patch;
name="nagios-3.0.6-fix-trailing-backslash.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nagios-3.0.6-fix-trailing-backslash.patch"
--- nagios-3.0.6/cgi/cgiutils.c.orig 2009-04-06 19:29:13.000000000 -0400
+++ nagios-3.0.6/cgi/cgiutils.c 2009-04-06 19:30:29.000000000 -0400
@@ -788,7 +788,7 @@
}
/* unescape backslashes and other stuff */
- else{
+ if(rawbuf[x+1]!='\x0'){
rawbuf[y++]=rawbuf[x+1];
x++;
}
--------------050709000700020702060300--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]