[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp

Andreas Ericsson ae at op5.se
Tue Oct 26 18:09:25 CEST 2010

On 10/26/2010 02:31 PM, C. Bensend wrote:
> Hey folks,
>     Trying to run check_clamd (symlink to check_tcp) under a recent
> release of OpenBSD -CURRENT has revealed a stack overflow in
> check_tcp.  For those of you not familiar, OpenBSD has a number of
> protections built in to limit exposure in the case of application
> flaws, and it appears that it's squashing one in check_tcp:
> And backtrace from gdb:
> (gdb) run
> Starting program:  /tmp/clamd.socket
> No executable file specified.
> Use the "file" or "exec-file" command.
> (gdb) file ./check_clamd
> Reading symbols from
> /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd...done.
> (gdb) run
> Starting program:
> /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd
> /tmp/clamd.socket
> Program received signal SIGABRT, Aborted.
> [Switching to process 4352, thread 0x85c7cc00]
> 0x0567cf4d in kill () from /usr/lib/libc.so.56.0
> (gdb) bt
> #0  0x0567cf4d in kill () from /usr/lib/libc.so.56.0
> #1  0x056df3c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
>      damaged=-809678242) at /usr/src/lib/libc/sys/stack_protector.c:89
> #2  0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
>      proto=29869) at netutils.c:267

Was there some tool that stated that this was a stack-based violation
or are you just guessing?

host_name shouldn't be 0x0 here, and np_net_connect() shouldn't
segfault because of it. It's probably not stack-related at all, but a
simple segmentation violation because the program tries to read from
address 0, which it's not allowed to.

> Now, I am rather shaky with my use of gdb, so if one of you
> needs this information differently, please suggest the step-by-step
> to use with gdb to get the information needed, and I'll gather it.

The backtrace contains all the necessary information. The syscall
trace kdump is fairly useless, but thanks for being complete in your

I'm not a plugin developer, and I'm far too lazy to hack up such
a simple patch, but returning -1 in np_net_connect() if host_name
is NULL would be a very good idea indeed.

check_clamd should, in turn, warn the user when it's not getting
a host_name so the user knows what's going wrong.

Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

More information about the Devel mailing list