diff options
author | Holger Weiss <hweiss@users.sourceforge.net> | 2007-06-17 19:22:51 +0000 |
---|---|---|
committer | Holger Weiss <hweiss@users.sourceforge.net> | 2007-06-17 19:22:51 +0000 |
commit | 02033903c04113f12b80638c91131cbaf4a50a2f (patch) | |
tree | 141e547e4f8961ef3c044d4ce128ec2fb6e9703a /plugins/check_http.c | |
parent | ba3112f4c9e6521901ee2ad6e4268e1f06740b5a (diff) | |
download | monitoring-plugins-02033903c04113f12b80638c91131cbaf4a50a2f.tar.gz |
Fix buffer overflow vulnerabilities when parsing HTTP redirect
'Location:' strings using sscanf(3) (Nobuhiro Ban - 1687867)
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1742 f882894a-f735-0410-b71e-b25c423dba1c
Diffstat (limited to 'plugins/check_http.c')
-rw-r--r-- | plugins/check_http.c | 43 |
1 files changed, 27 insertions, 16 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c index 6773e65b..45d24a98 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c | |||
@@ -53,7 +53,8 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; | |||
53 | enum { | 53 | enum { |
54 | MAX_IPV4_HOSTLENGTH = 255, | 54 | MAX_IPV4_HOSTLENGTH = 255, |
55 | HTTP_PORT = 80, | 55 | HTTP_PORT = 80, |
56 | HTTPS_PORT = 443 | 56 | HTTPS_PORT = 443, |
57 | MAX_PORT = 65535 | ||
57 | }; | 58 | }; |
58 | 59 | ||
59 | #ifdef HAVE_SSL | 60 | #ifdef HAVE_SSL |
@@ -1057,14 +1058,14 @@ check_http (void) | |||
1057 | 1058 | ||
1058 | /* per RFC 2396 */ | 1059 | /* per RFC 2396 */ |
1059 | #define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: " | 1060 | #define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: " |
1060 | #define URI_HTTP "%[HTPShtps]://" | 1061 | #define URI_HTTP "%5[HTPShtps]" |
1061 | #define URI_HOST "%[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]" | 1062 | #define URI_HOST "%255[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]" |
1062 | #define URI_PORT ":%[0123456789]" | 1063 | #define URI_PORT "%6d" /* MAX_PORT's width is 5 chars, 6 to detect overflow */ |
1063 | #define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]" | 1064 | #define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]" |
1064 | #define HD1 URI_HTTP URI_HOST URI_PORT URI_PATH | 1065 | #define HD1 URI_HTTP "://" URI_HOST ":" URI_PORT "/" URI_PATH |
1065 | #define HD2 URI_HTTP URI_HOST URI_PATH | 1066 | #define HD2 URI_HTTP "://" URI_HOST "/" URI_PATH |
1066 | #define HD3 URI_HTTP URI_HOST URI_PORT | 1067 | #define HD3 URI_HTTP "://" URI_HOST ":" URI_PORT |
1067 | #define HD4 URI_HTTP URI_HOST | 1068 | #define HD4 URI_HTTP "://" URI_HOST |
1068 | #define HD5 URI_PATH | 1069 | #define HD5 URI_PATH |
1069 | 1070 | ||
1070 | void | 1071 | void |
@@ -1075,7 +1076,6 @@ redir (char *pos, char *status_line) | |||
1075 | char xx[2]; | 1076 | char xx[2]; |
1076 | char type[6]; | 1077 | char type[6]; |
1077 | char *addr; | 1078 | char *addr; |
1078 | char port[6]; | ||
1079 | char *url; | 1079 | char *url; |
1080 | 1080 | ||
1081 | addr = malloc (MAX_IPV4_HOSTLENGTH + 1); | 1081 | addr = malloc (MAX_IPV4_HOSTLENGTH + 1); |
@@ -1118,10 +1118,8 @@ redir (char *pos, char *status_line) | |||
1118 | die (STATE_UNKNOWN, _("HTTP UNKNOWN - could not allocate url\n")); | 1118 | die (STATE_UNKNOWN, _("HTTP UNKNOWN - could not allocate url\n")); |
1119 | 1119 | ||
1120 | /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */ | 1120 | /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */ |
1121 | if (sscanf (pos, HD1, type, addr, port, url) == 4) { | 1121 | if (sscanf (pos, HD1, type, addr, &i, url) == 4) |
1122 | use_ssl = server_type_check (type); | 1122 | use_ssl = server_type_check (type); |
1123 | i = atoi (port); | ||
1124 | } | ||
1125 | 1123 | ||
1126 | /* URI_HTTP URI_HOST URI_PATH */ | 1124 | /* URI_HTTP URI_HOST URI_PATH */ |
1127 | else if (sscanf (pos, HD2, type, addr, url) == 3 ) { | 1125 | else if (sscanf (pos, HD2, type, addr, url) == 3 ) { |
@@ -1130,10 +1128,9 @@ redir (char *pos, char *status_line) | |||
1130 | } | 1128 | } |
1131 | 1129 | ||
1132 | /* URI_HTTP URI_HOST URI_PORT */ | 1130 | /* URI_HTTP URI_HOST URI_PORT */ |
1133 | else if(sscanf (pos, HD3, type, addr, port) == 3) { | 1131 | else if(sscanf (pos, HD3, type, addr, &i) == 3) { |
1134 | strcpy (url, HTTP_URL); | 1132 | strcpy (url, HTTP_URL); |
1135 | use_ssl = server_type_check (type); | 1133 | use_ssl = server_type_check (type); |
1136 | i = atoi (port); | ||
1137 | } | 1134 | } |
1138 | 1135 | ||
1139 | /* URI_HTTP URI_HOST */ | 1136 | /* URI_HTTP URI_HOST */ |
@@ -1179,7 +1176,6 @@ redir (char *pos, char *status_line) | |||
1179 | _("HTTP WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"), | 1176 | _("HTTP WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"), |
1180 | type, addr, i, url, (display_html ? "</A>" : "")); | 1177 | type, addr, i, url, (display_html ? "</A>" : "")); |
1181 | 1178 | ||
1182 | server_port = i; | ||
1183 | strcpy (server_type, type); | 1179 | strcpy (server_type, type); |
1184 | 1180 | ||
1185 | free (host_name); | 1181 | free (host_name); |
@@ -1189,7 +1185,22 @@ redir (char *pos, char *status_line) | |||
1189 | server_address = strdup (addr); | 1185 | server_address = strdup (addr); |
1190 | 1186 | ||
1191 | free (server_url); | 1187 | free (server_url); |
1192 | server_url = strdup (url); | 1188 | if ((url[0] == '/')) |
1189 | server_url = strdup (url); | ||
1190 | else if (asprintf(&server_url, "/%s", url) == -1) | ||
1191 | die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate server_url%s\n"), | ||
1192 | display_html ? "</A>" : ""); | ||
1193 | free(url); | ||
1194 | |||
1195 | if ((server_port = i) > MAX_PORT) | ||
1196 | die (STATE_UNKNOWN, | ||
1197 | _("HTTP UNKNOWN - Redirection to port above %d - %s://%s:%d%s%s\n"), | ||
1198 | MAX_PORT, server_type, server_address, server_port, server_url, | ||
1199 | display_html ? "</A>" : ""); | ||
1200 | |||
1201 | if (verbose) | ||
1202 | printf ("Redirection to %s://%s:%d%s\n", server_type, server_address, | ||
1203 | server_port, server_url); | ||
1193 | 1204 | ||
1194 | check_http (); | 1205 | check_http (); |
1195 | } | 1206 | } |