[Pkg-nagios-devel] Bug#982847: Acknowledgement (monitoring-plugins-standard: check_pgsql check of database name is too strict)
Florian Lohoff
f at zz.de
Mon Feb 15 12:47:07 GMT 2021
On Mon, Feb 15, 2021 at 10:27:04AM +0000, Debian Bug Tracking System wrote:
> 982847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982847
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
Hi,
as strcpy may overflow the resulting buffer:
flo at p5:~$ /tmp/f/usr/lib/nagios/plugins/check_pgsql -d "$(seq 1 10000)"
*** buffer overflow detected ***: terminated
Aborted
I would propose to change the code rather like this, using snprintf
which honors the buffers size and guarantees null termination.
@@ -344,11 +343,7 @@ process_arguments (int argc, char **argv)
pgport = optarg;
break;
case 'd': /* database name */
- if (!is_pg_dbname (optarg)) /* checks length and valid chars */
- usage2 (_("Database name is not valid"), optarg);
- else /* we know length, and know optarg is terminated, so us strcpy */
- strcpy (dbName, optarg);
- break;
+ snprintf(dbName, NAMEDATALEN, "%s", optarg);
case 'l': /* login name */
if (!is_pg_logname (optarg))
usage2 (_("User name is not valid"), optarg);
--
Florian Lohoff f at zz.de
"Autoritaetsduselei ist der groesste Feind der Wahrheit" - Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-devel/attachments/20210215/3d4d7ae7/attachment.sig>
More information about the Pkg-nagios-devel
mailing list