[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp
Andreas Ericsson
ae at op5.se
Tue Oct 26 18:09:25 CEST 2010
On 10/26/2010 02:31 PM, C. Bensend wrote:
>
> Hey folks,
>
> Trying to run check_clamd (symlink to check_tcp) under a recent
> release of OpenBSD -CURRENT has revealed a stack overflow in
> check_tcp. For those of you not familiar, OpenBSD has a number of
> protections built in to limit exposure in the case of application
> flaws, and it appears that it's squashing one in check_tcp:
>
> And backtrace from gdb:
>
> (gdb) run
> Starting program: /tmp/clamd.socket
> No executable file specified.
> Use the "file" or "exec-file" command.
> (gdb) file ./check_clamd
> Reading symbols from
> /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd...done.
> (gdb) run
> Starting program:
> /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd
> /tmp/clamd.socket
>
> Program received signal SIGABRT, Aborted.
> [Switching to process 4352, thread 0x85c7cc00]
> 0x0567cf4d in kill () from /usr/lib/libc.so.56.0
> (gdb) bt
> #0 0x0567cf4d in kill () from /usr/lib/libc.so.56.0
> #1 0x056df3c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
> damaged=-809678242) at /usr/src/lib/libc/sys/stack_protector.c:89
> #2 0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
> proto=29869) at netutils.c:267
Was there some tool that stated that this was a stack-based violation
or are you just guessing?
host_name shouldn't be 0x0 here, and np_net_connect() shouldn't
segfault because of it. It's probably not stack-related at all, but a
simple segmentation violation because the program tries to read from
address 0, which it's not allowed to.
> Now, I am rather shaky with my use of gdb, so if one of you
> needs this information differently, please suggest the step-by-step
> to use with gdb to get the information needed, and I'll gather it.
>
The backtrace contains all the necessary information. The syscall
trace kdump is fairly useless, but thanks for being complete in your
report.
I'm not a plugin developer, and I'm far too lazy to hack up such
a simple patch, but returning -1 in np_net_connect() if host_name
is NULL would be a very good idea indeed.
check_clamd should, in turn, warn the user when it's not getting
a host_name so the user knows what's going wrong.
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
More information about the Devel
mailing list