BUG in history.cgi (+ fix)

Thomas Guyot-Sionnest thomas at zango.com
Thu Jun 19 17:01:29 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Guyot-Sionnest wrote:
| On 19/06/08 07:46 AM, Franky Van Liedekerke wrote:
|> Hi all,
|
|> I had some problems with history.cgi where it consistently coredumped
on me.
|> After some searching, it seems that history.c assumes that each line in
|> nagios.log has a certain maximum lenght (MAX_INPUT_BUFFER) but some
|> plugins write more info away there (like the check_oracle_health plugin
|> in my case).
|> But the issue is: when such a long line is found, history.c doesn't chop
|> it off after MAX_INPUT_BUFFER characters and as such coredumps ...
|> Solution: add the line
|
|> input[MAX_INPUT_BUFFER]='\x0';
|
|> at around line 551 in cgi/history.c (before the "strip(input);" line),
|> so the code becomes:
|
|>         printf("<P><DIV CLASS='logEntries'>\n");
|
|>         while(1){
|
|>                 free(input);
|
|>                 if(use_lifo==TRUE){
|>                         if((input=pop_lifo())==NULL)
|>                                 break;
|>                         }
|>                 else{
|>                         if((input=mmap_fgets(thefile))==NULL)
|>                                 break;
|>                         }
|
|>                 input[MAX_INPUT_BUFFER]='\x0';
|>                 strip(input);
|
|> This solves my problem for now, but I don't know if it is the correct
|> solution of course ...
|
| I don't have time to test, but it looks like the segfault is just a few
| lines below:
|
| strcpy(input_buffer2,input);
|
| input_buffer2 has a static length of MAX_INPUT_BUFFER, so you should
| rather use strncpy and limit to "MAX_INPUT_BUFFER-1" characters (so it
| will be able to terminate it with a \0).
|
| Your fix will work just as well, but changing strcpy to strncpy is more
| obvious and use of strcpy is discouraged for that exact reason.

Oops... I retract that last sentence... After reading Franky's reply I
just realized that effectively if input hasn't been allocated to be
large enough then you'll write a \0 at some random place in memory...

Use strncpy to avoid problems :)

Thomas

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIWnTJ6dZ+Kt5BchYRAr1TAKDYrWoVczxorLalvDZXeQYOdP6tNwCgwlvT
lyG0V38uL8KeDxuIT5vaT9c=
=gypX
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php




More information about the Developers mailing list