summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Weiss <hweiss@users.sourceforge.net>2007-06-17 19:22:51 +0000
committerHolger Weiss <hweiss@users.sourceforge.net>2007-06-17 19:22:51 +0000
commit02033903c04113f12b80638c91131cbaf4a50a2f (patch)
tree141e547e4f8961ef3c044d4ce128ec2fb6e9703a
parentba3112f4c9e6521901ee2ad6e4268e1f06740b5a (diff)
downloadmonitoring-plugins-02033903c04113f12b80638c91131cbaf4a50a2f.tar.gz
Fix buffer overflow vulnerabilities when parsing HTTP redirect
'Location:' strings using sscanf(3) (Nobuhiro Ban - 1687867) git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1742 f882894a-f735-0410-b71e-b25c423dba1c
-rw-r--r--NEWS3
-rw-r--r--plugins/check_http.c43
2 files changed, 30 insertions, 16 deletions
diff --git a/NEWS b/NEWS
index 75fc1c7c..8c9938c5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,8 @@
1This file documents the major additions and syntax changes between releases. 1This file documents the major additions and syntax changes between releases.
2 2
31.4.10 or 1.5 ??
4 Fix check_http buffer overflow vulnerability when following HTTP redirects
5
31.4.9 4th June 2006 61.4.9 4th June 2006
4 Inclusion of contrib/check_cluster2 as check_cluster with some improvements 7 Inclusion of contrib/check_cluster2 as check_cluster with some improvements
5 New/improved -E/--skip-stderr and -S/--skip-stdout options for check_by_ssh 8 New/improved -E/--skip-stderr and -S/--skip-stdout options for check_by_ssh
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 6773e65b..45d24a98 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -53,7 +53,8 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
53enum { 53enum {
54 MAX_IPV4_HOSTLENGTH = 255, 54 MAX_IPV4_HOSTLENGTH = 255,
55 HTTP_PORT = 80, 55 HTTP_PORT = 80,
56 HTTPS_PORT = 443 56 HTTPS_PORT = 443,
57 MAX_PORT = 65535
57}; 58};
58 59
59#ifdef HAVE_SSL 60#ifdef HAVE_SSL
@@ -1057,14 +1058,14 @@ check_http (void)
1057 1058
1058/* per RFC 2396 */ 1059/* per RFC 2396 */
1059#define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: " 1060#define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: "
1060#define URI_HTTP "%[HTPShtps]://" 1061#define URI_HTTP "%5[HTPShtps]"
1061#define URI_HOST "%[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]" 1062#define URI_HOST "%255[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
1062#define URI_PORT ":%[0123456789]" 1063#define URI_PORT "%6d" /* MAX_PORT's width is 5 chars, 6 to detect overflow */
1063#define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]" 1064#define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
1064#define HD1 URI_HTTP URI_HOST URI_PORT URI_PATH 1065#define HD1 URI_HTTP "://" URI_HOST ":" URI_PORT "/" URI_PATH
1065#define HD2 URI_HTTP URI_HOST URI_PATH 1066#define HD2 URI_HTTP "://" URI_HOST "/" URI_PATH
1066#define HD3 URI_HTTP URI_HOST URI_PORT 1067#define HD3 URI_HTTP "://" URI_HOST ":" URI_PORT
1067#define HD4 URI_HTTP URI_HOST 1068#define HD4 URI_HTTP "://" URI_HOST
1068#define HD5 URI_PATH 1069#define HD5 URI_PATH
1069 1070
1070void 1071void
@@ -1075,7 +1076,6 @@ redir (char *pos, char *status_line)
1075 char xx[2]; 1076 char xx[2];
1076 char type[6]; 1077 char type[6];
1077 char *addr; 1078 char *addr;
1078 char port[6];
1079 char *url; 1079 char *url;
1080 1080
1081 addr = malloc (MAX_IPV4_HOSTLENGTH + 1); 1081 addr = malloc (MAX_IPV4_HOSTLENGTH + 1);
@@ -1118,10 +1118,8 @@ redir (char *pos, char *status_line)
1118 die (STATE_UNKNOWN, _("HTTP UNKNOWN - could not allocate url\n")); 1118 die (STATE_UNKNOWN, _("HTTP UNKNOWN - could not allocate url\n"));
1119 1119
1120 /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */ 1120 /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */
1121 if (sscanf (pos, HD1, type, addr, port, url) == 4) { 1121 if (sscanf (pos, HD1, type, addr, &i, url) == 4)
1122 use_ssl = server_type_check (type); 1122 use_ssl = server_type_check (type);
1123 i = atoi (port);
1124 }
1125 1123
1126 /* URI_HTTP URI_HOST URI_PATH */ 1124 /* URI_HTTP URI_HOST URI_PATH */
1127 else if (sscanf (pos, HD2, type, addr, url) == 3 ) { 1125 else if (sscanf (pos, HD2, type, addr, url) == 3 ) {
@@ -1130,10 +1128,9 @@ redir (char *pos, char *status_line)
1130 } 1128 }
1131 1129
1132 /* URI_HTTP URI_HOST URI_PORT */ 1130 /* URI_HTTP URI_HOST URI_PORT */
1133 else if(sscanf (pos, HD3, type, addr, port) == 3) { 1131 else if(sscanf (pos, HD3, type, addr, &i) == 3) {
1134 strcpy (url, HTTP_URL); 1132 strcpy (url, HTTP_URL);
1135 use_ssl = server_type_check (type); 1133 use_ssl = server_type_check (type);
1136 i = atoi (port);
1137 } 1134 }
1138 1135
1139 /* URI_HTTP URI_HOST */ 1136 /* URI_HTTP URI_HOST */
@@ -1179,7 +1176,6 @@ redir (char *pos, char *status_line)
1179 _("HTTP WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"), 1176 _("HTTP WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
1180 type, addr, i, url, (display_html ? "</A>" : "")); 1177 type, addr, i, url, (display_html ? "</A>" : ""));
1181 1178
1182 server_port = i;
1183 strcpy (server_type, type); 1179 strcpy (server_type, type);
1184 1180
1185 free (host_name); 1181 free (host_name);
@@ -1189,7 +1185,22 @@ redir (char *pos, char *status_line)
1189 server_address = strdup (addr); 1185 server_address = strdup (addr);
1190 1186
1191 free (server_url); 1187 free (server_url);
1192 server_url = strdup (url); 1188 if ((url[0] == '/'))
1189 server_url = strdup (url);
1190 else if (asprintf(&server_url, "/%s", url) == -1)
1191 die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate server_url%s\n"),
1192 display_html ? "</A>" : "");
1193 free(url);
1194
1195 if ((server_port = i) > MAX_PORT)
1196 die (STATE_UNKNOWN,
1197 _("HTTP UNKNOWN - Redirection to port above %d - %s://%s:%d%s%s\n"),
1198 MAX_PORT, server_type, server_address, server_port, server_url,
1199 display_html ? "</A>" : "");
1200
1201 if (verbose)
1202 printf ("Redirection to %s://%s:%d%s\n", server_type, server_address,
1203 server_port, server_url);
1193 1204
1194 check_http (); 1205 check_http ();
1195} 1206}