[PATCH] NRPE buffer overflow fix

Ethan Galstad nagios at nagios.org
Mon Mar 10 22:09:02 CET 2008


Tobias Klausmann wrote:
> Hi! 
> 
> Quite a while ago (December 31st), Krzysztof Oledzki[0] sent a
> patch to -devel that fixes the buffer overflow in command output
> handling for NRPE.
> 
> Back in the 2.x days, one could think of this as merely a
> nuisance: after the \n, there were extra characters, usually
> random. While still a glaring bug, it usually didn't impede
> Nagios functions. This was due to Nagios ignoring everything
> after the first \n.
> 
> With 3.x, though, multiline support was introduced and Nagios
> cares about (or at least carries on) stuff after the first \n.
> This has several consequences.
> 
> First, the garbage is displayed in the web frontend.
> 
> Second, the CGIs sometimes barf on those random chars, resulting
> in a segfault and, correspondingly, an internal server error for
> Apache. It might be a good idea to check the CGIs - they
> shouldn't simply die on random chars in the status file).
> 
> Bottom line: *please* apply Krzysztofs patch to the NRPE code
> base. It fixes a hair raising bug and cleanly applies for both
> 2.10 and 2.11. 
> 
> Regards,
> Tobias
> 
> PS: I've attached Krzysztofs patch again to spare you searching
> the archives.
> 
> [0] ole at ans.pl
> 

Thanks for the reminder - I just released 2.12 with this fix included.


Ethan Galstad
Nagios Developer
___
Email: nagios at nagios.org
Web:   www.nagios.org

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/




More information about the Developers mailing list