Hi Matt, On Wed, Apr 09, 2008 at 08:27:17PM +0100, Matthew Boyle wrote: > found the bug: it's a buffer overflow in rrd_set_error. the static > buffer lengths are initialised the wrong way round in, so vsnprintf > (securely! :-p ) writes 4096 bytes into a 256 byte buffer, screwing up > the pointers in struct global_ctx. cue segfault.
Thanks - that does look like the problem.
> --- rrdtool-1.2.15/src/rrd_not_thread_safe.c 2006-07-14 13:11:26.000000000
> +0100
> +++ rrdtool-1.2.15-modified/src/rrd_not_thread_safe.c 2008-04-09
> 19:51:14.415714985 +0100
> @@ -22,8 +22,8 @@
> static struct rrd_context global_ctx = {
> sizeof(rrd_error),
> sizeof(rrd_liberror),
> - rrd_error,
> rrd_liberror
> + rrd_error,
> };
> #include <stdarg.h>
Well, that patch will not work like this - you need to remove the comma
following "rrd_error" and put it after "rrd_liberror" ;-) Anyway, thanks
for the patch.
Cheers,
Sebastian
PS: Judging from what you wrote in #rrdtool yesterday, you're already
about to send the patch to Tobi, so I won't take care of that myself.
Please send the patch to the mailing-list, so we know what's going on as
well. TIA.
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
