[Nagiosplug-devel] [ nagiosplug-Bugs-2797757 ] segfault in check_mysql when checking slave (-S)

SourceForge.net noreply at sourceforge.net
Thu May 28 10:03:45 CEST 2009 

Bugs item #2797757, was opened at 2009-05-28 12:03
Message generated for change (Tracker Item Submitted) made by nikitajob
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2797757&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Nikita Girman (nikitajob)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in check_mysql when checking slave (-S)

Initial Comment:
Plugin Version (-V output): check_mysql v2034 (nagios-plugins 1.4.13)
Plugin Name: check_mysql
Plugin Commandline showing issues: check_mysql -u checker -p "123" -H 172.16.7.17 -P 13306 -S
Operating System: FreeBSD 7.1-RELEASE-p4 amd64
Architecture: amd64
Compiler: gcc version 4.2.1 20070719  [FreeBSD]

check_mysql crashes with segfault when checking mysql slave (-S option), regardless of warning/critical ranges specified or not (MYSQL server has to be alive to reproduce the bug). Only 64-bit arch is affected, i386 version works fine. I discovered the memory allocation problem in function _set_thresholds() (line 107 of lib/utils_base.c file):
...
thresholds *temp_thresholds = NULL;

        temp_thresholds = malloc(sizeof(temp_thresholds));
...
Instead of thresholds struct size,  it's requested the size of _pointer_ to thresholds, so it leads to insufficient memoty allocation for the struct and further memory corruption while mysql_init (&mysql) call (line 92 in check_mysql.c):

--- gdb.txt ---
Breakpoint 1 at 0x4020d0: file check_mysql.c, line 92.
Starting program: ~/src/nagios-plugins-1.4.13/plugins/check_mysql -u checker -p "123" -H 172.16.7.17 -P 13306 -S

Breakpoint 1, main (argc=10, argv=0x7fffffffeb70) at check_mysql.c:92
92              mysql_init (&mysql);
Watchpoint 2: my_threshold->critical
$1 = (range *) 0x0
Continuing.
Watchpoint 2: my_threshold->critical

Old value = (range *) 0x0
New value = (range *) 0x67
0x0000000801374420 in memcpy () from /lib/libc.so.7
#0  0x0000000801374420 in memcpy () from /lib/libc.so.7
#1  0x00000008012fb86f in strdup () from /lib/libc.so.7
#2  0x0000000801349b42 in _nsyylex () from /lib/libc.so.7
#3  0x0000000801348e63 in _nsyyparse () from /lib/libc.so.7
#4  0x000000080134e9a7 in nsdispatch () from /lib/libc.so.7
#5  0x000000080133fdbc in getservbyname_r () from /lib/libc.so.7
#6  0x000000080133f79b in if_nametoindex () from /lib/libc.so.7
#7  0x000000080065b2f6 in mysql_server_init () from /usr/pkg/lib/mysql/libmysqlclient.so.14
#8  0x000000080067a9b8 in mysql_init () from /usr/pkg/lib/mysql/libmysqlclient.so.14
#9  0x00000000004020dd in main (argc=10, argv=0x7fffffffeb70) at check_mysql.c:92
Continuing.
Watchpoint 2: my_threshold->critical

Old value = (range *) 0x67
New value = (range *) 0x7267
0x0000000801374420 in memcpy () from /lib/libc.so.7
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000403ad2 in check_range (value=0, my_range=0x70756f7267) at utils_base.c:168
168             if (my_range->alert_on == INSIDE) {
--- end of gdb.txt ---

The bug still exists in latest nagios-plugins snapshot.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2797757&group_id=29880

More information about the Devel mailing list