[TriLUG] Nagios plugin check_http segmentation fault - potential for buffer overflow?

[David McDowell]

well ian says:  I thought it should do 'UNKNOWN' for any exit code
that is not 0, 1, or 2  (segfault is 139)

so I say, why isn't nagios looking for that and throwing a yellow or
red warning if a plugin throws segfault?  mmm, curious.  :)

David


On 11/22/06, David McDowell <turnpike420 at gmail.com> wrote:
> OK, so there is an issue there.  How about the other part then, why
> would it return green "OK" to nagios?  :)
>
> thanks ian, you rock!
> David
>
>
> On 11/22/06, Ian Kilgore <ian at trilug.org> wrote:
> > On Wed, Nov 22, 2006 at 03:01:00PM -0500, Ian Kilgore wrote:
> > > while (j < len - 2) {
> > I know, I know, I'm replying to myself.  I'm sorry.  Here is a cookie.
> >
> > To clarify, len is size_t.  When len is <2, this becomes:
> >
> > while (j < big number depending on platform) {
> >
> > At the start of base64(), a buffer is allocated.  When len is one, that
> > buffer is
> > (len + 2) / 3 * 4 + 1 = 5 bytes big.  "big number depending on platform"
> > is more than five :)
> >
> > Then stuff like this happens inside the loop:
> > buf[i++] = base64_table[bin[j] >> 2];
> >
> > 'i' does not get smaller, and gets incremented a few times in the body
> > of the loop, so after a bit, base64() starts to write outside of buf.
> > So this is a buffer overflow, but I'm not sure if it can be exploited.
> >
> > Even if it could be exploited, would it really get you anywhere?  :)
> >
> >
> > --
> > Ian Kilgore
> > echo "pfxz at pfxz.trw" | tr pzfwxt ikagno
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (GNU/Linux)
> >
> > iD8DBQFFZK6CdzZ1vlGDxu4RAvQoAKCuGtSR2HB66lXD9DBgEQ9kckqXywCfYArY
> > fHLlPQbhTabNEvSOy5EtxKY=
> > =zDzt
> > -----END PGP SIGNATURE-----
> >
> >
> > --
> > TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
> >
>