[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp

Andreas Ericsson ae at op5.se
Tue Oct 26 20:52:24 CEST 2010


On 10/26/2010 07:37 PM, Holger Weiß wrote:
> * C. Bensend<benny at bennyvision.com>  [2010-10-26 11:32]:
>> I have sent a lot of step output to Holger privately, I can re-send
>> here if it would help.
> 
> Here are the most interesting parts.  Many thanks for providing them,
> Benny!
> 
> |
> | (gdb) bt
> | #0  0x0db1df4d in kill () from /usr/lib/libc.so.56.0
> | #1  0x0db803c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
> |     damaged=-809694338) at /usr/src/lib/libc/sys/stack_protector.c:89
> | #2  0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
> |     proto=10652) at netutils.c:267

So crap happens in netutils.c at line 267...

> | #3  0x1c0025b9 in main (argc=1, argv=0xcfbd0ce0) at check_tcp.c:231
> |
> | (gdb) up 3
> | #3  0x1c0025b9 in main (argc=1, argv=0xcfbd0ce0) at check_tcp.c:231
> | 231             result = np_net_connect (server_address, server_port,&sd, PROTOCOL);
> |
> | (gdb) print server_address
> | $2 = 0xcfbd0db3 "/tmp/clamd.socket"
> 
> And here is another session which steps through np_net_connect():
> 
> | (gdb) run -H /tmp/clamd.socket -t 180
> | Starting program:
> | /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd -H
> | /tmp/clamd.socket -t 180
> | [Switching to process 25631, thread 0x8a928800]
> |
> | Breakpoint 1, np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket",
> |     port=3310, sd=0x3c002064, proto=6) at netutils.c:162
> | 162     {
> | (gdb) step
> | 170             socktype = (proto == IPPROTO_UDP) ? SOCK_DGRAM : SOCK_STREAM;
> | (gdb) step
> | 173             if(host_name[0] != '/'){
> | (gdb) step
> | 231                     if(strlen(host_name)>= UNIX_PATH_MAX){
> | (gdb) step
> | 234                     memset(&su, 0, sizeof(su));
> | (gdb) step
> | 236                     strncpy(su.sun_path, host_name, UNIX_PATH_MAX);
> | (gdb) step
> | 235                     su.sun_family = AF_UNIX;
> | (gdb) step
> | 236                     strncpy(su.sun_path, host_name, UNIX_PATH_MAX);
> | (gdb) step
> | strncpy (dst=0xcfbe1940 "", src=0xcfbe1b7e "/tmp/clamd.socket", n=108)
> |     at /usr/src/lib/libc/string/strncpy.c:47
> |
> | [...]
> |
> | (gdb) step
> | np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket", port=3310,
> |     sd=0x3c002064, proto=6) at netutils.c:237
> | 237                     *sd = socket(PF_UNIX, SOCK_STREAM, 0);
> | (gdb) step
> | socket (af=1, type=1, protocol=0)
> |     at /usr/src/lib/libpthread/uthread/uthread_socket.c:49
> |
> | [...]
> |
> | (gdb) step
> | np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket", port=3310,
> |     sd=0x3c002064, proto=6) at netutils.c:238
> | 238                     if(*sd<  0){
> | (gdb) step
> | 237                     *sd = socket(PF_UNIX, SOCK_STREAM, 0);
> | (gdb) step
> | 238                     if(*sd<  0){
> | (gdb) step
> | 241                     result = connect(*sd, (struct sockaddr *)&su, sizeof(su));
> | (gdb) step
> | connect (fd=8, name=0xcfbe193e, namelen=106)
> |     at /usr/src/lib/libpthread/uthread/uthread_connect.c:45
> |
> | [...]
> |
> | (gdb) step
> | np_net_connect (host_name=0xcfbe1b7e "/tmp/clamd.socket", port=3310,
> |     sd=0x3c002064, proto=6) at netutils.c:242
> | 242                     if (result<  0&&  errno == ECONNREFUSED)
> | (gdb) step
> | 241                     result = connect(*sd, (struct sockaddr *)&su,
> | sizeof(su));
> | (gdb) step
> | 242                     if (result<  0&&  errno == ECONNREFUSED)
> | (gdb) step
> | 246             if (result == 0)
> | (gdb) step
> | 267     }

... which, in this version of the plugins contains nothing but an empty
return in a function returning an int, but at a place it cannot hit since
there are else's covering every possible outcome (although removing those
else's is a good idea, since they just make the logic harder to follow and
each of them end in a return in every possible path anyway).

So what the hell is going on?

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.




More information about the Devel mailing list