[PATCH] NRPE buffer overflow fix
Ethan Galstad
nagios at nagios.org
Mon Mar 10 22:09:02 CET 2008
Tobias Klausmann wrote:
> Hi!
>
> Quite a while ago (December 31st), Krzysztof Oledzki[0] sent a
> patch to -devel that fixes the buffer overflow in command output
> handling for NRPE.
>
> Back in the 2.x days, one could think of this as merely a
> nuisance: after the \n, there were extra characters, usually
> random. While still a glaring bug, it usually didn't impede
> Nagios functions. This was due to Nagios ignoring everything
> after the first \n.
>
> With 3.x, though, multiline support was introduced and Nagios
> cares about (or at least carries on) stuff after the first \n.
> This has several consequences.
>
> First, the garbage is displayed in the web frontend.
>
> Second, the CGIs sometimes barf on those random chars, resulting
> in a segfault and, correspondingly, an internal server error for
> Apache. It might be a good idea to check the CGIs - they
> shouldn't simply die on random chars in the status file).
>
> Bottom line: *please* apply Krzysztofs patch to the NRPE code
> base. It fixes a hair raising bug and cleanly applies for both
> 2.10 and 2.11.
>
> Regards,
> Tobias
>
> PS: I've attached Krzysztofs patch again to spare you searching
> the archives.
>
> [0] ole at ans.pl
>
Thanks for the reminder - I just released 2.12 with this fix included.
Ethan Galstad
Nagios Developer
___
Email: nagios at nagios.org
Web: www.nagios.org
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
More information about the Developers
mailing list