[icinga-checkins] icinga.org: icinga-core/r1.6: possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

git at icinga.org git at icinga.org
Sun Jan 13 22:41:48 CET 2013


Module: icinga-core
Branch: r1.6
Commit: 600418ef4fe7560e74f17fe72a734850b5c7be02
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=600418ef4fe7560e74f17fe72a734850b5c7be02

Author: Michael Friedrich <michael.friedrich at netways.de>
Date:   Sun Jan 13 22:10:10 2013 +0100

possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

refs #3532

Conflicts:
	cgi/cgiutils.c
	cgi/status.c

---

 cgi/cgiutils.c |    4 ++++
 cgi/getcgi.c   |   35 ++++++++++++++++++++++++++++-------
 cgi/history.c  |   18 +++++++++---------
 3 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c
index 33b4909..4b40c8c 100644
--- a/cgi/cgiutils.c
+++ b/cgi/cgiutils.c
@@ -2490,6 +2490,10 @@ void print_export_link(int content_type, char *cgi, char *add_to_url) {
 
 	/* just do stuff if some options are requested */
 	if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
+		if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+			printf("print_export_link(): Could not allocate memory for stripped_query_string\n");
+			exit(1);
+		}
 		strcpy(stripped_query_string, getenv("QUERY_STRING"));
 		strip_html_brackets(stripped_query_string);
 		strcat(link, "?");
diff --git a/cgi/getcgi.c b/cgi/getcgi.c
index 6d231c7..ded4dbe 100644
--- a/cgi/getcgi.c
+++ b/cgi/getcgi.c
@@ -157,13 +157,15 @@ char **getcgivars(void) {
 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
 		if (getenv("QUERY_STRING") == NULL) {
 			cgiinput = (char *)malloc(1);
+			if (cgiinput != NULL) {
+				cgiinput[0] = '\x0';
+			}
+		} else
+			cgiinput = strdup(getenv("QUERY_STRING"));
 			if (cgiinput == NULL) {
 				printf("getcgivars(): Could not allocate memory for CGI input.\n");
 				exit(1);
 			}
-			cgiinput[0] = '\x0';
-		} else
-			cgiinput = strdup(getenv("QUERY_STRING"));
 	}
 
 	else if (!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) {
@@ -232,7 +234,11 @@ char **getcgivars(void) {
 	paircount = 0;
 	nvpair = strtok(cgiinput, "&");
 	while (nvpair) {
-		pairlist[paircount++] = strdup(nvpair);
+		pairlist[paircount] = strdup(nvpair);
+		if(pairlist[paircount++] == NULL) {
+			printf("getcgivars(): Could not allocate memory for name-value pair element #%d.\n", paircount);
+			exit(1);
+		}
 		if (paircount > MAX_CGI_INPUT_PAIRS)
 			break;
 		if (!(paircount % 256)) {
@@ -259,12 +265,27 @@ char **getcgivars(void) {
 		/* get the variable name preceding the equal (=) sign */
 		if ((eqpos = strchr(pairlist[i], '=')) != NULL) {
 			*eqpos = '\0';
-			unescape_cgi_input(cgivars[i*2+1] = strdup(eqpos + 1));
+			cgivars[i*2+1] = strdup(eqpos + 1);
+			if(cgivars[i*2+1] == NULL) {
+				printf("getcgivars(): Could not allocate memory for cgi param value #%d.\n", i);
+				exit(1);
+			}
+			unescape_cgi_input(cgivars[i*2+1]);
 		} else
-			unescape_cgi_input(cgivars[i*2+1] = strdup(""));
+			cgivars[i*2+1] = strdup("");
+			if(cgivars[i*2+1] == NULL) {
+				printf("getcgivars(): Could not allocate memory for empty cgi param value #%d.\n", i);
+				exit(1);
+			}
+			unescape_cgi_input(cgivars[i*2+1]);
 
 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
-		unescape_cgi_input(cgivars[i*2] = strdup(pairlist[i]));
+		cgivars[i*2] = strdup(pairlist[i]);
+		if(cgivars[i*2] == NULL) {
+			printf("getcgivars(): Could not allocate memory for cgi param name #%d.\n", i);
+			exit(1);
+		}
+		unescape_cgi_input(cgivars[i*2]);
 	}
 
 	/* terminate the name-value list */
diff --git a/cgi/history.c b/cgi/history.c
index 97ab943..b11a534 100644
--- a/cgi/history.c
+++ b/cgi/history.c
@@ -747,14 +747,14 @@ void show_history(void) {
 				else if (display_type == DISPLAY_HOSTS) {
 
 					if (history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) {
-						sprintf(match1, " HOST ALERT: %s;", host_name);
-						sprintf(match2, " SERVICE ALERT: %s;", host_name);
+						snprintf(match1, sizeof(match1), " HOST ALERT: %s;", host_name);
+						snprintf(match2, sizeof(match2), " SERVICE ALERT: %s;", host_name);
 					} else if (history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) {
-						sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name);
-						sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name);
+						snprintf(match1, sizeof(match1), " HOST FLAPPING ALERT: %s;", host_name);
+						snprintf(match2, sizeof(match2), " SERVICE FLAPPING ALERT: %s;", host_name);
 					} else if (history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) {
-						sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name);
-						sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name);
+						snprintf(match1, sizeof(match1), " HOST DOWNTIME ALERT: %s;", host_name);
+						snprintf(match2, sizeof(match2), " SERVICE DOWNTIME ALERT: %s;", host_name);
 					}
 
 					if (show_all_hosts == TRUE)
@@ -793,11 +793,11 @@ void show_history(void) {
 				else if (display_type == DISPLAY_SERVICES) {
 
 					if (history_type == SERVICE_HISTORY)
-						sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, service_desc);
+						snprintf(match1, sizeof(match1), " SERVICE ALERT: %s;%s;", host_name, service_desc);
 					else if (history_type == SERVICE_FLAPPING_HISTORY)
-						sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc);
+						snprintf(match1, sizeof(match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc);
 					else if (history_type == SERVICE_DOWNTIME_HISTORY)
-						sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc);
+						snprintf(match1, sizeof(match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc);
 
 					if (strstr(temp_entry->entry_text, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY))
 						display_line = TRUE;





More information about the icinga-checkins mailing list