From gtw at gnu.org  Thu Jan 18 19:08:33 2018
From: gtw at gnu.org (Gary Wong)
Date: Thu, 18 Jan 2018 11:08:33 -0700
Subject: Bug in parse_ini.c default_file()?
Message-ID: <20180118180833.GA29540@flux.utah.edu>

Hi,

I believe there is a bug in lib/parse_ini.c where np_get_defaults()
can invoke free() on an invalid pointer.  The trouble is that
parse_locator(), when finding a default file, sets i->file to
the return value of default_file().  Sometimes (when $MP_CONFIG_FILE
is set), this will be malloc()ed memory, and all is well.  But
when $MP_CONFIG_FILE is unset and one of the default_ini_path_names[]
exists, then a pointer to the static string is returned (line 367), which
eventually gets stored into i->file by parse_locator() (line 106)
and then free()d in np_get_defaults() (line 139).  This bug is still
present as of commit 9661ee74.

To reproduce: create a valid config file (e.g., /etc/monitoring-plugins.ini),
compile or run with a sufficiently pedantic free() implementation
(gcc 6.4.0/glibc 2.25 will do it for me, or use valgrind), and then
run (e.g.) "check_snmp -H 127.0.0.1 -o 1 --extra-opts".

To fix: apply the following patch.  The new strdup() ensures that
default_file() always returns malloc()ed memory, whether the filename
is constructed from an environment variable or merely set to a
built-in default.

--- a/lib/parse_ini.c
+++ b/lib/parse_ini.c
@@ -364,7 +364,7 @@
                return ini_file;
        for (p = default_ini_path_names; *p != NULL; p++)
                if (access(*p, F_OK) == 0)
-                       return *p;
+                       return strdup(*p);
        return NULL;
 }

Thanks,
Gary.
-- 
     Gary Wong         gtw at gnu.org         http://www.cs.utah.edu/~gtw/