[monitoring-plugins] check_icmp: Reject more than 65535 target hosts

Holger Weiss git at monitoring-plugins.org
Wed Jul 1 13:20:13 CEST 2026


 Module: monitoring-plugins
 Branch: master
 Commit: c35c12e58d326ffbd6cfb3c9097653f9f3fb2f4a
 Author: Holger Weiss <holger at zedat.fu-berlin.de>
   Date: Tue Jun 30 15:32:40 2026 +0200
    URL: https://www.monitoring-plugins.org/repositories/monitoring-plugins/commit/?id=c35c12e5

check_icmp: Reject more than 65535 target hosts

The number of -H hosts is counted into an unsigned short, so supplying
more than 65535 hosts wraps the counter.  The subsequent calloc(3) then
allocates an undersized hosts array while the later parsing loop still
writes one entry per host, overflowing the heap buffer.  As
process_arguments() runs before we drop privileges via setuid(getuid()),
this happens while still running as root on setuid-root installs.

Guard both places where the counter is incremented and bail out with a
usage error once 65535 hosts are reached, rather than wrapping silently.

Reported-by: Christopher Kreft <Email at ChristopherKreft.de>

---

 plugins-root/check_icmp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index 1390a03e..f3c83ee0 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -361,6 +361,9 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) {
 				enforced_ai_family = AF_INET6;
 				break;
 			case 'H': {
+				if (result.config.number_of_hosts == USHRT_MAX) {
+					usage_va("Number of specified hosts exceeds %u", USHRT_MAX);
+				}
 				result.config.number_of_hosts++;
 				break;
 			}
@@ -378,6 +381,9 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) {
 
 	char **tmp = &argv[optind];
 	while (*tmp) {
+		if (result.config.number_of_hosts == USHRT_MAX) {
+			usage_va("Number of specified hosts exceeds %u", USHRT_MAX);
+		}
 		result.config.number_of_hosts++;
 		tmp++;
 	}



More information about the Commits mailing list