diff options
| author | Holger Weiss <holger@zedat.fu-berlin.de> | 2026-06-30 15:58:09 +0200 |
|---|---|---|
| committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2026-06-30 15:58:09 +0200 |
| commit | a675995b19a6315f1b033a7c1ca980b5fbdc408d (patch) | |
| tree | 6a0dad9da2821f841fa624578cfe98ae1d309ffb /lib | |
| parent | c35c12e58d326ffbd6cfb3c9097653f9f3fb2f4a (diff) | |
| download | monitoring-plugins-a675995b19a6315f1b033a7c1ca980b5fbdc408d.tar.gz | |
check_icmp: Fix parsing of single-char threshold
The threshold parser starts a pointer at the last character of the
string and walks it backwards until it reaches the second character.
This assumes the string is at least two characters long. For a
single-character threshold such as "-w 1" or "-c 1", the pointer
underflows past the start of the string and keeps dereferencing memory
out of bounds.
Beyond the out-of-bounds reads, an out-of-bounds write can occur if a
stray '%' or ',' byte happens to turn up while scanning backwards. In
that case, the parser writes a NUL byte at that out-of-bounds address
(the ',' case additionally re-reads forward from there via strtoul(3)).
Only run the descending scan when the string has at least two
characters, leaving the behaviour for all valid thresholds unchanged.
Reported-by: Christopher Kreft <Email@ChristopherKreft.de>
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions
