[Pkg-nagios-devel] Bug#718248: nsca-client: Random segmentation faults of send_nsca

Tue Mar 15 14:40:14 UTC 2016

I have encountered this problem, too:

[7083302.117086] send_nsca[15854]: segfault at bf9ec000 ip 08048fad sp
bf9e7a50 error 6 in send_nsca[8048000+5000]
[7169701.935382] send_nsca[22982]: segfault at bff37000 ip 08048fad sp
bff32b00 error 6 in send_nsca[8048000+5000]
[7256101.739524] send_nsca[28416]: segfault at bfff1000 ip 08048fad sp
bffed440 error 6 in send_nsca[8048000+5000]
...

In my case, send_nsca is used by munin-limits.

I was able to create a debug version of nsca-client, obtain a core dump
and I believe this to be the problem:

Reading symbols from /usr/sbin/send_nsca...done.
[New LWP 1669]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
Core was generated by `.
sqldb1.mpl.loc	eth0 errors	0	OKs: errors is 0.00, errors is 0'.
Program terminated with signal 11, Segmentation fault.
#0  main (argc=1936269427, argv=0x302e3020) at ./send_nsca.c:204
204				input_buffer[pos] = c;
(gdb) list
199			while (c != 23){
200				if (c == -1){	// in case we don't terminate properly
201						// or are in single-input mode.
202					break;
203					}
204				input_buffer[pos] = c;
205				c = getc(stdin);
206				pos++;
207				}
208			input_buffer[pos] = 0;
(gdb) p c
$1 = 46
(gdb) p pos
$2 = <optimized out>
(gdb) p sizeof(input_buffer)
$3 = 5120

In the while loop above, no check is made for writing past the
input_buffer array which obviously happens in my case. At a second
glance, it seems that this loop should break the input stream into
chunks separated by character 23 which would mitigate my problem.
However, the help of send_nsca is ambiguous regarding the separation for
lines:

Input should be provided in the following format (tab-delimited unless
overriden with -d command line argument, one entry per line):

and later

When submitting multiple simultaneous results, separate each set with
the ETB character (^W or 0x17)

It seems to me that at least munin-limits does not honor the last
sentence but provides multiple results separated by a LF.

I patched send_nsca.c to treat both LF and ETB as result separators
(patch is attached) and I could not reproduce the segfaults anymore.

I'm  not sure that this is the proper solution to this problem, though.
Maybe this is better fixed in munin, but I feel at least a check for
input_buffer overflow is missing in send_nsca.

With kind regards

Stefan Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: send_nsca.patch
Type: text/x-patch
Size: 365 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160315/7e99b046/attachment.bin>