[Xymon] Segfault in confreport-critical.sh / confreport.cgi in 4.3.24
Axel Beckert
beckert at phys.ethz.ch
Thu Dec 10 13:45:49 CET 2015
Hi,
Via corekeeper (https://packages.debian.org/stable/corekeeper) I
became aware of a segfault of confreport.cgi. I'm able to reproduce it
(at least) in a fresh browser instance (all cookies removed), going to
"Find host", searching for a non-existing host and then clicking on
"Config Report (Critical)". It says "172 hosts included" (i.e. not
just a single host as it happens if I searched for an existing host
before) and then outputs most of the page, but ends in the middle of
the alerts listing at line 8049 in the middle of a table:
<tr><td><font COLOR="#000000" FACE="Tahoma, Arial, Helvetica">079xxxxxxx at example.com (R)</font></td><td align=center>5m 1s </td><td align=center>-</td><td align=center>4h </td><td align=center>-</td><td>purple</td></tr>
<tr><td valign=top rowspan=4 >ports</td><td><font COLOR="#000000" FACE="Tahoma, Arial, Helvetica">0765
At least in one of the cases it ended in the same line, but with "076
instead of 0765". So I suspect we hit some C string size limit once
again.
I don't have a proper backtrace (yet), but I had look at the source
code and I'm quite confident that the issue is inside the function
print_alert_recipients() starting at lib/loadalerts.c, line 1124.
I suspect it's an overflow of the variable "buf". "l" seems large
enough with 4kB.
Kind regards, Axel Beckert
--
Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68
IT Services Group, HPT H 6 voice: +41 44 633 41 89
Departement of Physics, ETH Zurich
CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
More information about the Xymon
mailing list