[Pkg-nagios-devel] [md@mailq.de: Buffer Overflow in nrpe.c]
Mischa Diehm
md@mailq.de
Mon, 20 Dec 2004 16:50:14 +0100
Hi,
unfortunately no one of the nagios team replied. Maybe you know how to
get in contact with them.
Mischa
----- Forwarded message from Mischa Diehm <md@mailq.de> -----
From: Mischa Diehm <md@mailq.de>
To: nagios@nagios.org
Date: Thu, 2 Dec 2004 16:37:23 +0100
Subject: Buffer Overflow in nrpe.c
User-Agent: Mutt/1.4i
X-OS: Linux (x86)
Hi,
I have been looking a little over the nrpe code trying to figure out why
some of our commands don't work and found that there is a buffer
overflow in the function int add_command (... ).
line 48{5,6} in src/nrpe.c:
...
strcpy(new_command->command_name,command_name);
strcpy(new_command->command_line,command_line);
...
/**************** COMMAND STRUCTURE DEFINITION **********/
#define MAX_COMMANDNAME_LENGTH 32 /* maximum short name of a command */
#define MAX_COMMANDLINE_LENGTH 1024 /* maximum command line length */
typedef struct command_struct{
char command_name[MAX_COMMANDNAME_LENGTH];
char command_line[MAX_COMMANDLINE_LENGTH];
struct command_struct *next;
}command;
...
If you specify a command_name with length(cmd_name) >32+1024 the nrpe
server segfaults on statup. I think it would also be nice to have a
MAX_COMMANDNAME_LENGTH of 128 so users can define descriptive names for
their commands. You could either use malloc to make it dynamical or just
check the size of *command_name before copying plus use strncpy(3).
Hope that helps - thanks for your time.
Mischa
--
If deadly radiation knocks on your door, do not answer!
----- End forwarded message -----
--
"Mit seinem Geld begnuegt sich keiner, mit seinem Verstand jeder."
(Quelle: Unbekannt)