[PATCH] NRPE buffer overflow fix

Tobias Klausmann klausman at schwarzvogel.de
Fri Mar 7 15:29:27 CET 2008

Previous message: Nagios 3.0rc3 can't execute plugins on NetBSD 4.0
Next message: [PATCH] NRPE buffer overflow fix
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi! 

Quite a while ago (December 31st), Krzysztof Oledzki[0] sent a
patch to -devel that fixes the buffer overflow in command output
handling for NRPE.

Back in the 2.x days, one could think of this as merely a
nuisance: after the \n, there were extra characters, usually
random. While still a glaring bug, it usually didn't impede
Nagios functions. This was due to Nagios ignoring everything
after the first \n.

With 3.x, though, multiline support was introduced and Nagios
cares about (or at least carries on) stuff after the first \n.
This has several consequences.

First, the garbage is displayed in the web frontend.

Second, the CGIs sometimes barf on those random chars, resulting
in a segfault and, correspondingly, an internal server error for
Apache. It might be a good idea to check the CGIs - they
shouldn't simply die on random chars in the status file).

Bottom line: *please* apply Krzysztofs patch to the NRPE code
base. It fixes a hair raising bug and cleanly applies for both
2.10 and 2.11. 

Regards,
Tobias

PS: I've attached Krzysztofs patch again to spare you searching
the archives.

[0] ole at ans.pl
-- 
printk(KERN_EMERG "PCI: Tell willy he's wrong\n");
        linux-2.6.6/arch/parisc/kernel/pci.c
-------------- next part --------------
--- nrpe-2.10-orig/src/nrpe.c	2007-10-19 15:18:57.000000000 +0200
+++ nrpe-2.10/src/nrpe.c	2007-12-31 00:09:58.000000000 +0100
@@ -1255,7 +1255,6 @@
 	int result;
 	extern int errno;
 	char buffer[MAX_INPUT_BUFFER];
-	char temp_buffer[MAX_INPUT_BUFFER];
 	int fd[2];
 	FILE *fp;
 	int bytes_read=0;
@@ -1385,14 +1384,15 @@
 
 		/* try and read the results from the command output (retry if we encountered a signal) */
 		if(output!=NULL){
-			strcpy(output,"");
-			do{
-				bytes_read=read(fd[0],output,output_length-1);
-		                }while(bytes_read==-1 && errno==EINTR);
-		        }
+			do {
+				bytes_read=read(fd[0], output, output_length-1);
+			} while (bytes_read==-1 && errno==EINTR);
 
-		if(bytes_read==-1 && output!=NULL)
-			strcpy(output,"");
+			if (bytes_read==-1)
+				*output = '\0';
+			else
+				output[bytes_read] = '\0';
+		}
 
 		/* if there was a critical return code and no output AND the command time exceeded the timeout thresholds, assume a timeout */
 		if(result==STATE_CRITICAL && bytes_read==-1 && (end_time-start_time)>=timeout){
@@ -1602,7 +1602,6 @@
 void sighandler(int sig){
 	static char *sigs[]={"EXIT","HUP","INT","QUIT","ILL","TRAP","ABRT","BUS","FPE","KILL","USR1","SEGV","USR2","PIPE","ALRM","TERM","STKFLT","CHLD","CONT","STOP","TSTP","TTIN","TTOU","URG","XCPU","XFSZ","VTALRM","PROF","WINCH","IO","PWR","UNUSED","ZERR","DEBUG",(char *)NULL};
 	int i;
-	char temp_buffer[MAX_INPUT_BUFFER];
 
 	if(sig<0)
 		sig=-sig;
-------------- next part --------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

Previous message: Nagios 3.0rc3 can't execute plugins on NetBSD 4.0
Next message: [PATCH] NRPE buffer overflow fix
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list