From c35c12e58d326ffbd6cfb3c9097653f9f3fb2f4a Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Tue, 30 Jun 2026 15:32:40 +0200 Subject: check_icmp: Reject more than 65535 target hosts The number of -H hosts is counted into an unsigned short, so supplying more than 65535 hosts wraps the counter. The subsequent calloc(3) then allocates an undersized hosts array while the later parsing loop still writes one entry per host, overflowing the heap buffer. As process_arguments() runs before we drop privileges via setuid(getuid()), this happens while still running as root on setuid-root installs. Guard both places where the counter is incremented and bail out with a usage error once 65535 hosts are reached, rather than wrapping silently. Reported-by: Christopher Kreft --- plugins-root/check_icmp.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'plugins-root/check_icmp.c') diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index 1390a03e..f3c83ee0 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c @@ -361,6 +361,9 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) { enforced_ai_family = AF_INET6; break; case 'H': { + if (result.config.number_of_hosts == USHRT_MAX) { + usage_va("Number of specified hosts exceeds %u", USHRT_MAX); + } result.config.number_of_hosts++; break; } @@ -378,6 +381,9 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) { char **tmp = &argv[optind]; while (*tmp) { + if (result.config.number_of_hosts == USHRT_MAX) { + usage_va("Number of specified hosts exceeds %u", USHRT_MAX); + } result.config.number_of_hosts++; tmp++; } -- cgit v1.2.3-74-g34f1