Re: [Nagios-devel] Bug/Array index out of bounds

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] Bug/Array index out of bounds

Post by Guest »

This is a multi-part message in MIME format.
--------------010602040907090500030205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Tilo Renz wrote:
>> man 2 read
>>
>> It works the same, and it's the only sensible way it *can*
>> work. If it all
>> of a sudden starts adding nul bytes to the buffer you'll all
>> of a sudden
>> end up unable to read binary byte sequences from files and
>> sockets alike.
>
> Yes, all true, but then we must not use the buffer as a string.
> Here zero-padding is neccessary.
> * Weak argument: the debug-printf in line 4495 indicates developers
> zero-padding intention.
> * Hard argument: In line 3504 the buffer is used to call
> get_next_string_from_buf(recv_buf,&buf_index,sizeof(recv_buf)).
> While we know the number of valid bytes in the buffer, no one cares.
> And even if we change this call to
> get_next_string_from_buf(recv_buf,&buf_index,recv_len), zero-padding
> is still necessary. In get_next_string_from_buf, line 3020, the buffer
> is given to strcspn(buffer, "\n"). Since we can't guarantee
> Newline-Occurence, buffer must be null-terminated or strcspn will
> slurp beyond buffers end.
>
>
in accordance to the explanation above, diff attached. let me know if
this is not valid and needs to change. latest cvs crashes on ubuntu 9.04
without this patch and the check_for_updates=1 option in nagios.cfg.

the beginning of the crash message was:
---
root@ubuntu:/usr/local/nagios# bin/nagios etc/nagios.cfg

Nagios 3.1.0
Copyright (c) 1999-2009 Ethan Galstad (http://www.nagios.org)
Last Modified: 01-25-2009
License: GPL

Nagios 3.1.0 starting... (PID=32328)
Local time is Sat Jun 13 08:35:30 EDT 2009
*** stack smashing detected ***: bin/nagios terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f49da8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f49d60]
bin/nagios[0x8083d82]
bin/nagios(check_for_nagios_updates+0x6a)[0x8083dfa]
bin/nagios(main+0x552)[0x8058ca2]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e62775]
bin/nagios[0x80586b1]


--------------010602040907090500030205
Content-Type: text/plain;
name="utils"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="utils"

--- utils.c 2009-05-17 17:44:19.000000000 +0200
+++ /tmp/utils.c 2009-06-13 15:19:20.000000000 +0200
@@ -4488,9 +4488,9 @@
/*printf("SEND RESULT: %d, SENT: %d\n",result,send_len);*/

/* get response */
- recv_len=sizeof(recv_buf);
+ recv_len=sizeof(recv_buf)-1;
result=my_recvall(sd,recv_buf,&recv_len,2);
- recv_buf[sizeof(recv_buf)]='\x0';
+ recv_buf[recv_len]='\x0';
/*printf("RECV RESULT: %d, RECEIVED: %d\n",result,recv_len);*/

/*

--------------010602040907090500030205--





This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”