[collectd] A couple of collectd crashes

Mon, 04 Feb 2013 15:05:06 -0800 

I managed to get collectd to segfault in a couple of places while playing
with it a bit. The first is in the curl_xml module when the XPATH expression
doesn't quite match the input. The crash occurs on line 407 when
instance_node->nodeTab[0] is dereferenced. At this point, all members of
instance_node are 0, so dereferencing the array isn't a good idea. This patch
fixes the problem, although I'm not sure if this particular case actually
deserves its own error message:

diff --git a/src/curl_xml.c b/src/curl_xml.c
index 2a36608..2b1d247 100644
--- a/src/curl_xml.c
+++ b/src/curl_xml.c
@@ -385,7 +385,7 @@ static int cx_handle_instance_xpath (xmlXPathContextPtr 
xpath_ctx, /* {{{ */
     instance_node = instance_node_obj->nodesetval;
     tmp_size = (instance_node) ? instance_node->nodeNr : 0;
 
-    if ( (tmp_size == 0) && (is_table) )
+    if (tmp_size == 0)
     {
       WARNING ("curl_xml plugin: "
           "relative xpath expression for 'InstanceFrom' \"%s\" doesn't match "

The second problem occurred once in stop_write_threads() during shutdown, in 
this
loop:

        for (q = write_queue_head; q != NULL; q = q->next)
        {
                plugin_value_list_free (q->vl);
                sfree (q);
                i++;
        }

Once q has been freed by sfree(), it's no longer safe to dereference in the
for statement. I'm attaching a fix for that.

On a side note, the check for NULL in sfree() isn't actually necessary--ANSI C
specifies that free() must be safe when given a NULL pointer.

>>> Dan

From 43ed73d243635a86e5e72da434092f578d593269 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <[email protected]>
Date: Mon, 4 Feb 2013 23:59:41 +0100
Subject: [PATCH] Fix a NULL pointer dereference during shutdown

---
 src/plugin.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/plugin.c b/src/plugin.c
index 7037234..942f8bf 100644
--- a/src/plugin.c
+++ b/src/plugin.c
@@ -810,10 +810,12 @@ static void stop_write_threads (void) /* {{{ */
 
 	pthread_mutex_lock (&write_lock);
 	i = 0;
-	for (q = write_queue_head; q != NULL; q = q->next)
+	for (q = write_queue_head; q != NULL; )
 	{
+		write_queue_t *q1 = q;
 		plugin_value_list_free (q->vl);
-		sfree (q);
+		q = q->next;
+		sfree (q1);
 		i++;
 	}
 	write_queue_head = NULL;
-- 
1.7.10

Attachment: pgpV4CmAY7ouh.pgp
Description: PGP signature

_______________________________________________
collectd mailing list
[email protected]
http://mailman.verplant.org/listinfo/collectd

Reply via email to