segfault in hobbit-enadis.cgi in xymon-4.3.0-beta1

Frank Gruellich frank.gruellich at navteq.com
Tue Feb 24 19:09:22 CET 2009


Hi,

we tried to install xymon-4.3.0-beta1 today and it disabled the
Enable/Disable page for some reason.  Further investigations showed,
that hobbit-enadis.cgi segfaults everytimes.  Even more investigations
showed:

[rpmbuilder at fighter ~]$ gdb /home/rpmbuilder/data/rpm/BUILD/hobbit-4.3.0beta1/web/hobbit-enadis.cgi
GNU gdb Red Hat Linux (6.5-37.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) set args --env=/usr/lib/hobbit/server/etc/hobbitserver.cfg
(gdb) set environment REQUEST_METHOD GET
(gdb) run
Starting program: /home/rpmbuilder/data/rpm/BUILD/hobbit-4.3.0beta1/web/hobbit-enadis.cgi --env=/usr/lib/hobbit/server/etc/hobbitserver.cfg
[Thread debugging using libthread_db enabled]
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>

<TITLE>Hobbit - Maintenance</TITLE>

<!-- Styles for the menu bar -->
<link rel="stylesheet" type="text/css" href="/hobbit/menu/menu.css">

<!-- The favicon image -->
<link rel="shortcut icon" href="/hobbit/gifs/favicon-blue.ico">

<!--
  * Stuff for the enable/disable page.
  *
  * This JavaScript has been copied from the "maint.pl"
  * script by Tom Schmidt, released under the "Artistic" license.
  -->
<script language="JavaScript" type="text/javascript">
[New Thread 47399241634928 (LWP 24758)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47399241634928 (LWP 24758)]
0x000000380ce78350 in strlen () from /lib64/libc.so.6
(gdb) bt
#0  0x000000380ce78350 in strlen () from /lib64/libc.so.6
#1  0x000000000041085c in addtobuffer (buf=0x128b54a0, newtext=0x0) at strfunc.c:121
#2  0x000000000040f153 in sendmessage (msg=0x416f9c "schedule", recipient=<value optimized out>, timeout=15, response=0x128b4380) at sendmsg.c:485
#3  0x0000000000405a26 in fetch_board () at headfoot.c:441
#4  0x0000000000406606 in output_parsed (output=0x380d14d760, templatedata=<value optimized out>, bgcolor=2, selectedtime=1235497392) at headfoot.c:723
#5  0x00000000004081fc in headfoot (output=0x380d14d760, template=0x41542c "maint", pagepath=<value optimized out>, head_or_foot=0x415460 "header", bgcolor=2) at headfoot.c:1391
#6  0x0000000000408577 in showform (output=0x380d14d760, headertemplate=0x41542c "maint", formtemplate=<value optimized out>, color=2, seltime=1235497392, pretext=0x0, posttext=0x0) at headfoot.c:1442
#7  0x0000000000402e87 in main (argc=2, argv=<value optimized out>) at hobbit-enadis.c:310
(gdb)

addtobuffer() is called with newtext=NULL which comes from respstr=NULL
in sendtomany() somewhere around this block:

                 if (first) {
                         /* We grab the result from the first server */
                         char *respstr = NULL;

                         if (response) {
                                 oneres =  sendtobbd(rcpt, msg,
                                                     response->respfd,
                                                     (response->respstr ? &respstr : NULL),
                                                     (response->respfd || response->respstr),
                                                     timeout);
                         }
                         else {
                                 oneres =  sendtobbd(rcpt, msg, NULL, NULL, 0, timeout);
                         }

                         if (oneres == BB_OK) {
                                 if (response && response->respstr) addtobuffer(response->respstr, respstr);
                                 first = 0;
                         }
                 }
                 else {
                         /* Secondary servers do not yield a response */
                         oneres =  sendtobbd(rcpt, msg, NULL, NULL, 0, timeout);
                 }

And now comes the "When I'm grown up I'll be a coder!" part.  I just
see, that respstr is initialized with NULL and given to sendtobbd() by
reference, but I can't figure out if it's modified (set to a valid
value) within this function.  So the brave patch I can only give is:

[rpmbuilder at fighter xymon-4.3.0-beta1]$ diff -u lib/strfunc.c.orig lib/strfunc.c
--- lib/strfunc.c.orig  2009-02-24 18:23:06.000000000 +0100
+++ lib/strfunc.c       2009-02-24 18:24:21.000000000 +0100
@@ -118,7 +118,7 @@

  void addtobuffer(strbuffer_t *buf, char *newtext)
  {
-	strbuf_addtobuffer(buf, newtext, strlen(newtext));
+	if (newtext) strbuf_addtobuffer(buf, newtext, strlen(newtext));
  }

  void addtostrbuffer(strbuffer_t *buf, strbuffer_t *newtext)
[rpmbuilder at fighter xymon-4.3.0-beta1]$

Basically this can't be wrong because calling strlen with NULL is
probably a bad idea.  This works fine for *us* (read: Enable/Disable
works again and everything else, we looked at, too), but *might* have
major impact for other installations.  If you need more information do
not hesitate to request them.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman



More information about the Xymon mailing list