[seanius at debian.org: Re: CVE-2006-2162: Buffer overflow in nagios]

sean finney seanius at seanius.net
Sun May 14 19:32:58 CEST 2006


hey ethan,

On Fri, May 12, 2006 at 05:22:44PM -0500, Ethan Galstad wrote:
> Good point.  How does the attached patch look for fixing this?  I may 
> have to release the patch standalone for a few days, as the SourceForge 
> CVS servers are currently offline (!).

fun...

i believe the patch you give should prevent the problem from occurring.

in debian, the patch we're using prints an error and returns error
instead, which i think is slightly more optimal as i'm not sure what
happens when the cgi script expects a content length different from what
it's actually going to get.  i'll attache what ew're using for
reference.

the first patch (16_foo) is against 1.x and the second (10_foo) is
against 2.x


	sean

-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 16_CVE-2006-2162_content-length.dpatch by  <seanius at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad nagios-1.4~/cgi/getcgi.c nagios-1.4/cgi/getcgi.c
--- nagios-1.4~/cgi/getcgi.c	2006-04-12 21:25:14.000000000 +0200
+++ nagios-1.4/cgi/getcgi.c	2006-05-12 12:40:54.000000000 +0200
@@ -9,6 +9,7 @@
 #include "../common/config.h"
 #include <stdio.h>
 #include <stdlib.h>
+#include <limits.h>
 #include "getcgi.h"
 
 
@@ -166,8 +167,10 @@
 			printf("getcgivars(): No Content-Length was sent with the POST request.\n") ;
 			exit(1);
 		        }
-		if(content_length<0)
-			content_length=0;
+		if((content_length<0) || (content_length >= INT_MAX-1)){
+			printf("getcgivars(): Suspicious Content-Length was sent with the POST request.\n");
+			exit(1);
+			}
 		if(!(cgiinput=(char *)malloc(content_length+1))){
 			printf("getcgivars(): Could not allocate memory for CGI input.\n");
 			exit(1);
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_CVE-2006-2162_content-length.dpatch by  <seanius at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad nagios2-2.3~/cgi/getcgi.c nagios2-2.3/cgi/getcgi.c
--- nagios2-2.3~/cgi/getcgi.c	2006-04-12 21:17:23.000000000 +0200
+++ nagios2-2.3/cgi/getcgi.c	2006-05-12 13:18:04.000000000 +0200
@@ -10,6 +10,7 @@
 #include "../include/getcgi.h"
 #include <stdio.h>
 #include <stdlib.h>
+#include <limits.h>
 
 
 #undef PARANOID_CGI_INPUT
@@ -169,8 +170,10 @@
 			printf("getcgivars(): No Content-Length was sent with the POST request.\n") ;
 			exit(1);
 		        }
-		if(content_length<0)
-			content_length=0;
+		if((content_length<0) || (content_length >= INT_MAX-1)){
+			printf("getcgivars(): Suspicious Content-Length was sent with the POST request.\n");
+			exit(1);
+			}
 		if(!(cgiinput=(char *)malloc(content_length+1))){
 			printf("getcgivars(): Could not allocate memory for CGI input.\n");
 			exit(1);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20060514/591a74fb/attachment.sig>


More information about the Developers mailing list