mirror of
https://github.com/monitoring-plugins/monitoring-plugins.git
synced 2026-07-11 18:05:37 -04:00
The threshold parser starts a pointer at the last character of the string and walks it backwards until it reaches the second character. This assumes the string is at least two characters long. For a single-character threshold such as "-w 1" or "-c 1", the pointer underflows past the start of the string and keeps dereferencing memory out of bounds. Beyond the out-of-bounds reads, an out-of-bounds write can occur if a stray '%' or ',' byte happens to turn up while scanning backwards. In that case, the parser writes a NUL byte at that out-of-bounds address (the ',' case additionally re-reads forward from there via strtoul(3)). Only run the descending scan when the string has at least two characters, leaving the behaviour for all valid thresholds unchanged. Reported-by: Christopher Kreft <Email@ChristopherKreft.de> |
||
|---|---|---|
| .. | ||
| check_dhcp.d | ||
| check_icmp.d | ||
| t | ||
| check_dhcp.c | ||
| check_icmp.c | ||
| Makefile.am | ||
| pst3.c | ||