buffer overflow detected in xymongen (4.3.21)

list Japheth Cleaver
Fri, 2 Oct 2015 11:58:28 -0700
Message-Id: <user-dc97bf5a5c9c@xymon.invalid>

A malformed message could be returned as a result of a truncated network
connection to xymond, or other sorts of interesting cases.

                p = strchr(nextline, '\n'); if (p) *p = '\0';
                strcpy(l, nextline);
                if (p) nextline = p+1; else nextline = NULL;

There does seem to be something a little odd there.

I suppose the below patch would at least keep us from writing past the end
on 'l', but in a proper situation we shouldn't need something like it.

-jc


On Fri, October 2, 2015 4:58 am, Axel Beckert wrote:

Hi,

On Fri, Oct 02, 2015 at 01:32:51PM +0200, Axel Beckert wrote:

Today it finally crashed again after I deployed the debug
packages. (It's seldom that I'm so happy to see a core dump. ;-)

Here's the [...] oldest one:

[...]

It's indeed in the WML generation code, should be this line here:
https://sources.debian.net/src/xymon/4.3.21-1/xymongen/wmlgen.c/#L150

Looking at what status changed in the five minutes before the crash I
found two status reports which had each line lengths of 6576 and 6897
characters, but both far shorter than the MAX_LINE_LEN of 16384
characters

Another thing I could imagine are lines with no trailing newline at
the end. But then again I have no idea where they could come from nor
how I should look for them.

		Kind regards, Axel Beckert
--
Axel Beckert <user-96d9963fe797@xymon.invalid>       support: +41 44 633 26 68
IT Services Group, HPT H 6                  voice: +41 44 633 41 89
Departement of Physics, ETH Zurich
CH-8093 Zurich, Switzerland		   http://nic.phys.ethz.ch/

Attachments (1)

attachment.obj application/octet-stream · 477 B