[Pkg-nagios-devel] [md@mailq.de: Buffer Overflow in nrpe.c]

Mischa Diehm md@mailq.de
Mon, 20 Dec 2004 16:50:14 +0100


unfortunately no one of the nagios team replied. Maybe you know how to
get in contact with them.


----- Forwarded message from Mischa Diehm <md@mailq.de> -----

From: Mischa Diehm <md@mailq.de>
To: nagios@nagios.org
Date: Thu, 2 Dec 2004 16:37:23 +0100
Subject: Buffer Overflow in nrpe.c
User-Agent: Mutt/1.4i
X-OS: Linux (x86)


I have been looking a little over the nrpe code trying to figure out why
some of our commands don't work and found that there is a buffer
overflow in the function int add_command (... ).

line 48{5,6} in src/nrpe.c:



/**************** COMMAND STRUCTURE DEFINITION **********/

#define MAX_COMMANDNAME_LENGTH  32              /* maximum short name of a command */
#define MAX_COMMANDLINE_LENGTH  1024            /* maximum command line length */

typedef struct command_struct{
        char command_name[MAX_COMMANDNAME_LENGTH];
        char command_line[MAX_COMMANDLINE_LENGTH];
        struct command_struct *next;


If you specify a command_name with length(cmd_name) >32+1024  the nrpe
server segfaults on statup. I think it would also be nice to have a
MAX_COMMANDNAME_LENGTH of 128 so users can define descriptive names for
their commands. You could either use malloc to make it dynamical or just
check the size of *command_name before copying plus use strncpy(3).

Hope that helps - thanks for your time.


If deadly radiation knocks on your door, do not answer!

----- End forwarded message -----

"Mit seinem Geld begnuegt sich keiner, mit seinem Verstand jeder."
 (Quelle: Unbekannt)