[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp

[Andreas Ericsson]

On 10/26/2010 02:31 PM, C. Bensend wrote:
> 
> Hey folks,
> 
>     Trying to run check_clamd (symlink to check_tcp) under a recent
> release of OpenBSD -CURRENT has revealed a stack overflow in
> check_tcp.  For those of you not familiar, OpenBSD has a number of
> protections built in to limit exposure in the case of application
> flaws, and it appears that it's squashing one in check_tcp:
> 
> And backtrace from gdb:
> 
> (gdb) run
> Starting program:  /tmp/clamd.socket
> No executable file specified.
> Use the "file" or "exec-file" command.
> (gdb) file ./check_clamd
> Reading symbols from
> /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd...done.
> (gdb) run
> Starting program:
> /home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd
> /tmp/clamd.socket
> 
> Program received signal SIGABRT, Aborted.
> [Switching to process 4352, thread 0x85c7cc00]
> 0x0567cf4d in kill () from /usr/lib/libc.so.56.0
> (gdb) bt
> #0  0x0567cf4d in kill () from /usr/lib/libc.so.56.0
> #1  0x056df3c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
>      damaged=-809678242) at /usr/src/lib/libc/sys/stack_protector.c:89
> #2  0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
>      proto=29869) at netutils.c:267

Was there some tool that stated that this was a stack-based violation
or are you just guessing?

host_name shouldn't be 0x0 here, and np_net_connect() shouldn't
segfault because of it. It's probably not stack-related at all, but a
simple segmentation violation because the program tries to read from
address 0, which it's not allowed to.

> Now, I am rather shaky with my use of gdb, so if one of you
> needs this information differently, please suggest the step-by-step
> to use with gdb to get the information needed, and I'll gather it.
> 

The backtrace contains all the necessary information. The syscall
trace kdump is fairly useless, but thanks for being complete in your
report.

I'm not a plugin developer, and I'm far too lazy to hack up such
a simple patch, but returning -1 in np_net_connect() if host_name
is NULL would be a very good idea indeed.

check_clamd should, in turn, warn the user when it's not getting
a host_name so the user knows what's going wrong.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.