[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp
Andreas Ericsson
ae at op5.se
Tue Oct 26 20:52:24 CEST 2010
On 10/26/2010 07:37 PM, Holger Weiß wrote:
> * C. Bensend<benny at bennyvision.com> [2010-10-26 11:32]:
>> I have sent a lot of step output to Holger privately, I can re-send
>> here if it would help.
>
> Here are the most interesting parts. Many thanks for providing them,
> Benny!
>
> |
> | (gdb) bt
> | #0 0x0db1df4d in kill () from /usr/lib/libc.so.56.0
> | #1 0x0db803c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
> | damaged=-809694338) at /usr/src/lib/libc/sys/stack_protector.c:89
> | #2 0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
> | proto=10652) at netutils.c:267
So crap happens in netutils.c at line 267...
> | #3 0x1c0025b9 in main (argc=1, argv=0xcfbd0ce0) at check_tcp.c:231
> |
> | (gdb) up 3
> | #3 0x1c0025b9 in main (argc=1, argv=0xcfbd0ce0) at check_tcp.c:231
> | 231 result = np_net_connect (server_address, server_port,&sd, PROTOCOL);
> |
> | (gdb) print server_address
> | $2 = 0xcfbd0db3 "/tmp/clamd.socket"
>
> And here is another session which steps through np_net_connect():
>
> | (gdb) run -H /tmp/clamd.socket -t 180
> | Starting program:
> | /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd -H
> | /tmp/clamd.socket -t 180
> | [Switching to process 25631, thread 0x8a928800]
> |
> | Breakpoint 1, np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket",
> | port=3310, sd=0x3c002064, proto=6) at netutils.c:162
> | 162 {
> | (gdb) step
> | 170 socktype = (proto == IPPROTO_UDP) ? SOCK_DGRAM : SOCK_STREAM;
> | (gdb) step
> | 173 if(host_name[0] != '/'){
> | (gdb) step
> | 231 if(strlen(host_name)>= UNIX_PATH_MAX){
> | (gdb) step
> | 234 memset(&su, 0, sizeof(su));
> | (gdb) step
> | 236 strncpy(su.sun_path, host_name, UNIX_PATH_MAX);
> | (gdb) step
> | 235 su.sun_family = AF_UNIX;
> | (gdb) step
> | 236 strncpy(su.sun_path, host_name, UNIX_PATH_MAX);
> | (gdb) step
> | strncpy (dst=0xcfbe1940 "", src=0xcfbe1b7e "/tmp/clamd.socket", n=108)
> | at /usr/src/lib/libc/string/strncpy.c:47
> |
> | [...]
> |
> | (gdb) step
> | np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket", port=3310,
> | sd=0x3c002064, proto=6) at netutils.c:237
> | 237 *sd = socket(PF_UNIX, SOCK_STREAM, 0);
> | (gdb) step
> | socket (af=1, type=1, protocol=0)
> | at /usr/src/lib/libpthread/uthread/uthread_socket.c:49
> |
> | [...]
> |
> | (gdb) step
> | np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket", port=3310,
> | sd=0x3c002064, proto=6) at netutils.c:238
> | 238 if(*sd< 0){
> | (gdb) step
> | 237 *sd = socket(PF_UNIX, SOCK_STREAM, 0);
> | (gdb) step
> | 238 if(*sd< 0){
> | (gdb) step
> | 241 result = connect(*sd, (struct sockaddr *)&su, sizeof(su));
> | (gdb) step
> | connect (fd=8, name=0xcfbe193e, namelen=106)
> | at /usr/src/lib/libpthread/uthread/uthread_connect.c:45
> |
> | [...]
> |
> | (gdb) step
> | np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket", port=3310,
> | sd=0x3c002064, proto=6) at netutils.c:242
> | 242 if (result< 0&& errno == ECONNREFUSED)
> | (gdb) step
> | 241 result = connect(*sd, (struct sockaddr *)&su,
> | sizeof(su));
> | (gdb) step
> | 242 if (result< 0&& errno == ECONNREFUSED)
> | (gdb) step
> | 246 if (result == 0)
> | (gdb) step
> | 267 }
... which, in this version of the plugins contains nothing but an empty
return in a function returning an int, but at a place it cannot hit since
there are else's covering every possible outcome (although removing those
else's is a good idea, since they just make the logic harder to follow and
each of them end in a return in every possible path anyway).
So what the hell is going on?
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
More information about the Devel
mailing list