[Nagiosplug-devel] buffer overruns
Karl DeBisschop
kdebisschop at alert.infoplease.com
Wed Oct 30 10:44:10 CET 2002
Please be careful when writing code that uses fixed-size buffers. I
recently caught several recently introduced potential overruns in
check_smtp.
I recommend looking at the man page for asprintf (allocating sprintf).
if you run GNU or FreeBSD. With this, there's really no excuse for
allowing potential overruns, or having compiled-in limits on string
size. Plus it's alot faster than the ssprintf hack I had put together
before I found this function.
We're all pretty aware how much attention is paid to security these
days. There's not much risk in the plugins, since you code parameters in
the config files. But there probably is some risk. And I just don't want
to be on the recieving end of a report that the plugins are full of
overruns.
For non-GNU/FreeBSD OS's, ther asprintf function is part of the
snprintf code provided with the tarball. At the moment, there are
problems building on some OS's as a result. But that snprintf code comes
directly from samba, so it should be workable on almost any imaginable
platform. And we will not really be able to release 1.3 without making
it build successfully. In other words, you can count on asprintf being
always available for the plugins, at least by the tiime of release.
--
Karl
More information about the Devel
mailing list