mirror of
https://github.com/monitoring-plugins/monitoring-plugins.git
synced 2026-02-12 07:13:43 -05:00
661ecff45c
A buffer overflow was occurring when the server responded with:
Exceeded MaxStartups\r\n
glibc would then abort() with the following output:
*** buffer overflow detected ***: terminated
It was the memset() that was overflowing the buffer. But the memmove()
needed fixing too.
First off, there was an off-by-one error in both the memmove() and
memset(). byte_offset was already set to the start of the data _past_
the newline (i.e. len + 1). For the memmove(), incrementing that by 1
again lost the first character of the additional output. For the
memset(), this causes a buffer overflow.
Second, the memset() has multiple issues. The comment claims that it
was NULing (sic "null") the "rest". However, it has no idea how long
the "rest" is, at this point. It was NULing BUFF_SZ - byte_offset + 1.
After fixing the off-by-one / buffer overflow, it would be NULing
BUFF_SZ - byte_offset. But that doesn't make any sense. The length of
the first line has no relation to the length of the second line.
For a quick-and-dirty test, add something like this just inside the
while loop:
memcpy(output,
"Exceeded MaxStartups\r\nnext blah1 blah2 blah3 blah4\0",
sizeof("Exceeded MaxStartups\r\nnext blah1 blah2 blah3 blah4\0"));
And, after the memmove(), add:
printf("output='%s'\n", output);
If you fix the memset() buffer overflow, it will output:
output='ext blah1 blah2 blah3 '
As you can see, the first character is lost.
If you then fix the memmove(), it will output:
output='next blah1 blah2 blah3'
Note that this is still losing the "blah4".
After moving the memset() after byte_offset is set to the new strlen()
of output, then it works correctly:
output='next blah1 blah2 blah3 blah4'
Signed-off-by: Richard Laager <rlaager@wiktel.com>
|
||
|---|---|---|
| .. | ||
| check_apt.d | ||
| check_by_ssh.d | ||
| check_cluster.d | ||
| check_dbi.d | ||
| check_dig.d | ||
| check_disk.d | ||
| check_dns.d | ||
| check_fping.d | ||
| check_game.d | ||
| check_hpjd.d | ||
| check_ldap.d | ||
| check_load.d | ||
| check_mrtg.d | ||
| check_mrtgtraf.d | ||
| check_mysql.d | ||
| check_mysql_query.d | ||
| check_nagios.d | ||
| check_nt.d | ||
| check_ntp_peer.d | ||
| check_ntp_time.d | ||
| check_pgsql.d | ||
| check_ping.d | ||
| check_procs.d | ||
| check_radius.d | ||
| check_real.d | ||
| check_smtp.d | ||
| check_ssh.d | ||
| check_swap.d | ||
| check_tcp.d | ||
| check_time.d | ||
| check_ups.d | ||
| negate.d | ||
| picohttpparser | ||
| t | ||
| tests | ||
| check_apt.c | ||
| check_by_ssh.c | ||
| check_cluster.c | ||
| check_curl.c | ||
| check_dbi.c | ||
| check_dig.c | ||
| check_disk.c | ||
| check_dns.c | ||
| check_dummy.c | ||
| check_fping.c | ||
| check_game.c | ||
| check_hpjd.c | ||
| check_http.c | ||
| check_ide_smart.c | ||
| check_ldap.c | ||
| check_load.c | ||
| check_mrtg.c | ||
| check_mrtgtraf.c | ||
| check_mysql.c | ||
| check_mysql_query.c | ||
| check_nagios.c | ||
| check_nt.c | ||
| check_ntp.c | ||
| check_ntp_peer.c | ||
| check_ntp_time.c | ||
| check_pgsql.c | ||
| check_ping.c | ||
| check_procs.c | ||
| check_radius.c | ||
| check_real.c | ||
| check_smtp.c | ||
| check_snmp.c | ||
| check_ssh.c | ||
| check_swap.c | ||
| check_tcp.c | ||
| check_time.c | ||
| check_ups.c | ||
| check_users.c | ||
| common.h | ||
| Makefile.am | ||
| negate.c | ||
| netutils.c | ||
| netutils.h | ||
| popen.c | ||
| popen.h | ||
| runcmd.c | ||
| runcmd.h | ||
| sslutils.c | ||
| urlize.c | ||
| utils.c | ||
| utils.h | ||