Bug#392010: nsca: crashes on malformed command line

Mon, 09 Oct 2006 13:50:34 -0700 

Subject: nsca: crashes on malformed command line
Package: nsca
Version: 2.6-1
Severity: normal
Tags: patch

Hello,

the send_nsca command crashes when you give it a command line containing
the -c or -d parameters with data containing "%n" format strings:


[EMAIL PROTECTED]:~$ /usr/sbin/send_nsca -c %n%n%n%n
Segmentation fault
[EMAIL PROTECTED]:~$ /usr/sbin/send_nsca -d %n%n%n%n
Segmentation fault
[EMAIL PROTECTED]:~$


This is caused by two broken snprintf() calls, that can be fixed by
applying my attached patch.

Format string bugs such as these sometimes cause security issues, but I see
no security implications of this bug whatsoever. As the send_nsca binary is
not set to setuid or setgid anything, the person that runs it already has
all the permissions that the program has. It is still a bug that should be
fixed in the interest of achieving as high quality and stability as possible.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages nsca depends on:
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries
ii  libmcrypt4                   2.5.7-5     De-/Encryption Library

nsca recommends no packages.

-- debconf information:
  nsca/run-nsca-daemon:


--- src/send_nsca.c.old 2006-04-06 23:19:30.000000000 +0200
+++ src/send_nsca.c     2006-10-09 20:47:10.000000000 +0200
@@ -421,7 +421,7 @@ int process_arguments(int argc, char **a
                /* config file */
                else if(!strcmp(argv[x-1],"-c")){
                        if(x<argc){
-                               
snprintf(config_file,sizeof(config_file),argv[x]);
+                               
snprintf(config_file,sizeof(config_file),"%s",argv[x]);
                                config_file[sizeof(config_file)-1]='\x0';
                                x++;
                                }
@@ -432,7 +432,7 @@ int process_arguments(int argc, char **a
                /* delimiter to use when parsing input */
                else if(!strcmp(argv[x-1],"-d")){
                        if(x<argc){
-                               snprintf(delimiter,sizeof(delimiter),argv[x]);
+                               
snprintf(delimiter,sizeof(delimiter),"%s",argv[x]);
                                delimiter[sizeof(delimiter)-1]='\x0';
                                x++;
                                }

Reply via email to