[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp

[Holger Weiß]

* Andreas Ericsson <ae at op5.se> [2010-10-27 10:08]:
> On 10/26/2010 11:35 PM, Holger Weiß wrote:
> > * Andreas Ericsson<ae at op5.se>  [2010-10-26 20:52]:
> >> On 10/26/2010 07:37 PM, Holger Weiß wrote:
> >>> | (gdb) bt
> >>> | #0  0x0db1df4d in kill () from /usr/lib/libc.so.56.0
> >>> | #1  0x0db803c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
> >>> |     damaged=-809694338) at /usr/src/lib/libc/sys/stack_protector.c:89
> >>> | #2  0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
> >>> |     proto=10652) at netutils.c:267
> >>
> >> So crap happens in netutils.c at line 267...
> > 
> > As you said (later on), that's the end of the np_net_connect() function.
> > The stack protection code lets the process crash at this point because
> > it detects that the return address has been modified since the function
> > was called.
> 
> But it shouldn't even REACH that point.

I don't think _that_ point is _actually_ reached.  I guess GDB just
points at the end of the function definition in such cases (where the
stack protection code aborts the process).  Of course, it would be nicer
if GDB pointed at the return statement, instead.

So:

> You could basically put
> 
>   printf("Buggy compiler. This portion is never reached with a sane one");
>   kill(getpid(), SIGABRT);
> 
> above line 267 and just KNOW that things would be right.

I doubt that code would be executed.  But Benny could try, of course :-)

Either way:

> It looks like a buggy compiler

I think so, too.  Either that or one of the libc functions called in
np_net_connect() is trashing the stack.  Or we're overlooking something.

Holger