Re: [Nagios-devel] Re: [[email protected]: Re: CVE-2006-2162: Buffer

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] Re: [[email protected]: Re: CVE-2006-2162: Buffer

Post by Guest »

This is a multi-part message in MIME format.
--------------040307070004040807080606
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Good point. How does the attached patch look for fixing this? I may
have to release the patch standalone for a few days, as the SourceForge
CVS servers are currently offline (!).

sean finney wrote:
> hey ethan,
>
> On Thu, May 11, 2006 at 02:17:14PM -0500, Ethan Galstad wrote:
>> If the packet is greater than INT_MAX in size, then yes, the integer
>> would probably overflow and result in a negative size. The patch to the
>> Nagios CGI handles negative values for the Content-Length, so unless I'm
>> missing something, we should be okay. Someone please chime in if you
>> believe otherwise.
>
> try setting Content-Length to INT_MAX-1. because later:
>
> if(!(cgiinput=(char *)malloc(content_length+1))){
>
>
> sean


Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org

--------------040307070004040807080606
Content-Type: text/plain;
name="getcgi.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="getcgi.patch"

*** cgi/getcgi.c 2006-05-12 17:18:52.000000000 -0500
--- ../../nagios-releases/nagios-2.3/cgi/getcgi.c 2006-04-12 14:17:23.000000000 -0500
***************
*** 2,8 ****
*
* GETCGI.C - Nagios CGI Input Routines
*
! * Last Modified: 05-12-2006
*
*****************************************/

--- 2,8 ----
*
* GETCGI.C - Nagios CGI Input Routines
*
! * Last Modified: 04-12-2006
*
*****************************************/

***************
*** 169,175 ****
printf("getcgivars(): No Content-Length was sent with the POST request.\n") ;
exit(1);
}
! if(content_length=(INT_MAX-1))
content_length=0;
if(!(cgiinput=(char *)malloc(content_length+1))){
printf("getcgivars(): Could not allocate memory for CGI input.\n");
--- 169,175 ----
printf("getcgivars(): No Content-Length was sent with the POST request.\n") ;
exit(1);
}
! if(content_length<0)
content_length=0;
if(!(cgiinput=(char *)malloc(content_length+1))){
printf("getcgivars(): Could not allocate memory for CGI input.\n");

--------------040307070004040807080606--





This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”