[Pkg-nagios-devel] Bug#392010: nsca: crashes on malformed command line

Ulf Harnhammar metaur at telia.com
Mon Oct 9 19:58:50 UTC 2006 

Subject: nsca: crashes on malformed command line
Package: nsca
Version: 2.6-1
Severity: normal
Tags: patch

Hello,

the send_nsca command crashes when you give it a command line containing
the -c or -d parameters with data containing "%n" format strings:


metaur at metaur:~$ /usr/sbin/send_nsca -c %n%n%n%n
Segmentation fault
metaur at metaur:~$ /usr/sbin/send_nsca -d %n%n%n%n
Segmentation fault
metaur at metaur:~$


This is caused by two broken snprintf() calls, that can be fixed by
applying my attached patch.

Format string bugs such as these sometimes cause security issues, but I see
no security implications of this bug whatsoever. As the send_nsca binary is
not set to setuid or setgid anything, the person that runs it already has
all the permissions that the program has. It is still a bug that should be
fixed in the interest of achieving as high quality and stability as possible.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages nsca depends on:
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries
ii  libmcrypt4                   2.5.7-5     De-/Encryption Library

nsca recommends no packages.

-- debconf information:
  nsca/run-nsca-daemon:

-------------- next part --------------
--- src/send_nsca.c.old	2006-04-06 23:19:30.000000000 +0200
+++ src/send_nsca.c	2006-10-09 20:47:10.000000000 +0200
@@ -421,7 +421,7 @@ int process_arguments(int argc, char **a
 		/* config file */
 		else if(!strcmp(argv[x-1],"-c")){
 			if(x<argc){
-				snprintf(config_file,sizeof(config_file),argv[x]);
+				snprintf(config_file,sizeof(config_file),"%s",argv[x]);
 				config_file[sizeof(config_file)-1]='\x0';
 				x++;
 			        }
@@ -432,7 +432,7 @@ int process_arguments(int argc, char **a
 		/* delimiter to use when parsing input */
 		else if(!strcmp(argv[x-1],"-d")){
 			if(x<argc){
-				snprintf(delimiter,sizeof(delimiter),argv[x]);
+				snprintf(delimiter,sizeof(delimiter),"%s",argv[x]);
 				delimiter[sizeof(delimiter)-1]='\x0';
 				x++;
 			        }

More information about the Pkg-nagios-devel mailing list