[Xymon] Hostname validation (was Re: Xymon 4.3.29 Released - Important Security Update)
Tom Schmidt (tschmidt)
tschmidt at micron.com
Sat Aug 10 00:13:33 CEST 2019
Attached is a fix for the 4.3.29 version of xymonnet/xymonnet.c that is truncating the RPC test reporting for the service. With the security changes to using strncat() rather than strcat(), the size of a malloc string cannot be determined by using sizeof(). For example:
char *buffer = (char *)malloc(sizeof(char) * 10);
int numElements = sizeof(buffer);
does not return 10.
I did not have time to check the rest of the xymon source tree to see if there are other instances of the sizeof() being miscalculated for malloc'ed strings.
Tom Schmidt
Sr Manager, IT, Product Engineering
IT ETD Eng Sites US
Micron Technology, Inc.
Office: +1 (208) 368-4058 Fax: (208)368-2807
Email: tschmidt at micron.com Website: micron.com
Micron Technology, Inc., Confidential and Proprietary.
-----Original Message-----
From: Tom Schmidt (tschmidt)
Sent: Thursday, August 8, 2019 10:54 AM
To: John Horne <john.horne at plymouth.ac.uk>; xymon at xymon.com
Subject: Re: [Xymon] Hostname validation (was Re: Xymon 4.3.29 Released - Important Security Update)
I likewise see one more issue with 4.3.29 that I am trying to correct. The xymonnet RPC check is not displaying the RPC test summary correctly at the top of the svcstatus report. It should look like this:
Mon Apr 1 10:53:02 2019 rpc ok,
green Service rpcbind (ID: 100000) found on port 111
green Service ypbind (ID: 100007) found on port 1013
Command: rpcinfo -p 1.2.3.4 2>&1
Instead, it is getting truncated like this:
Thu Aug 8 10:42:07 2019 rpc ok,
green S
Command: rpcinfo -p 1.2.3.4 2>&1
The truncation is causing any red/yellow/green RPC checks to not show properly at the top of the svcstatus report.
Tom Schmidt
Sr Manager, IT, Product Engineering
IT ETD Eng Sites US
Micron Technology, Inc.
Office: +1 (208) 368-4058 Fax: (208)368-2807
Email: tschmidt at micron.com Website: micron.com Micron Technology, Inc., Confidential and Proprietary.
-----Original Message-----
From: Xymon <xymon-bounces at xymon.com> On Behalf Of John Horne
Sent: Thursday, August 8, 2019 10:16 AM
To: xymon at xymon.com
Subject: [EXT] Re: [Xymon] Hostname validation (was Re: Xymon 4.3.29 Released - Important Security Update)
On Mon, 2019-08-05 at 13:26 -0700, Japheth Cleaver wrote:
> Thanks, this does indeed fix the issue. I've added in underscores
> (which have been valid for hostnames in xymon, though not in reality)
> to match the checks elsewhere. Would appreciate if others could confirm on this.
>
> Fix/patch is committed in
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsour
> ceforge.net%2Fp%2Fxymon%2Fcode%2F8072%2F&data=02%7C01%7Ctschmidt%4
> 0micron.com%7C64388b4a70ef471166d708d71c1bcbf8%7Cf38a5ecd28134862b11ba
> c1d563c806f%7C0%7C0%7C637008778033157428&sdata=L9XY5CBlGUlIFZDQpaO
> kV0nffOL4RDS0uIN%2F6uJELFc%3D&reserved=0 ;
> 4.3.30 with this to come shortly.
>
Sorry - stealing the subject - could I ask to hold fire with 4.3.30 for a little while. There still seems to be a problem with graph titles when using 'exec:'. I'm just trying to track it down now (looks like an extra double-quote has crept in somewhere). Thanks.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif&data=02%7C01%7Ctschmidt%40micron.com%7C64388b4a70ef471166d708d71c1bcbf8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C637008778033157428&sdata=Vbz%2F5ikN5U4HsRz6X5qm3dEAyDM9sMmdrY1%2FT%2FgFIYM%3D&reserved=0]<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass&data=02%7C01%7Ctschmidt%40micron.com%7C64388b4a70ef471166d708d71c1bcbf8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C637008778033167417&sdata=WYuWzp6kfIUgQzeedzE21f8kcremFyHPGj%2FiJNG038k%3D&reserved=0>
This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
_______________________________________________
Xymon mailing list
Xymon at xymon.com
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.xymon.com%2Fmailman%2Flistinfo%2Fxymon&data=02%7C01%7Ctschmidt%40micron.com%7C64388b4a70ef471166d708d71c1bcbf8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C637008778033167417&sdata=ZrghxVgvmXdUOCxhXaVuz19e19rv5TLIDtG9lvtYE7k%3D&reserved=0
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Patch-4.3.29_xymonnetRPC.txt
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190809/540c2a80/attachment.txt>
More information about the Xymon
mailing list