From: Florian Forster Date: Wed, 30 May 2007 06:06:48 +0000 (+0200) Subject: Merge branch 'collectd-3.11' X-Git-Tag: collectd-4.0.0~6 X-Git-Url: https://git.octo.it/?a=commitdiff_plain;h=721f8d81910c71154aba9ff8d243db52bfb584ed;hp=011b30ce3a419d543040102bb3d077e7fbd4aa0f;p=collectd.git Merge branch 'collectd-3.11' Conflicts: ChangeLog configure.in --- diff --git a/ChangeLog b/ChangeLog index 05772cf6..afcb453d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,12 @@ * collectd-nagios: The new `collectd-nagios' binary queries values from collectd, parses them and exits according to Nagios-standards. +2007-05-29, Version 3.11.5 + * configure: Added `AC_SYS_LARGEFILE' for LFS. + * ntpd plugin: Fix a potential buffer overflow. + * processes plugin: Fix a bug when run under Linux 2.4. All processes + were accounted as `zombies'. + 2007-04-10, Version 3.11.4 * dns plugin: Change the order of includes to make the plugin compile under FreeBSD. diff --git a/debian/changelog b/debian/changelog index 8d04e16c..14e450b3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +collectd (3.11.5-0octo1) unstable; urgency=low + + * New upstream release. + + -- Florian Forster Tue, 29 May 2007 22:50:59 +0200 + collectd (3.11.4-0octo1) unstable; urgency=low * New upstream release. diff --git a/src/ntpd.c b/src/ntpd.c index 83bf1628..b5f1a46c 100644 --- a/src/ntpd.c +++ b/src/ntpd.c @@ -568,6 +568,14 @@ static int ntpd_receive_response (int req_code, int *res_items, int *res_size, continue; } + if (pkt_item_len > res_item_size) + { + syslog (LOG_ERR, "ntpd plugin: (pkt_item_len = %i) " + ">= (res_item_size = %i)", + pkt_item_len, res_item_size); + continue; + } + /* If this is the first packet (time wise, not sequence wise), * set `res_size'. If it's not the first packet check if the * items have the same size. Discard invalid packets. */ @@ -584,9 +592,16 @@ static int ntpd_receive_response (int req_code, int *res_items, int *res_size, continue; } + /* + * Because the items in the packet may be smaller than the + * items requested, the following holds true: + */ + assert ((*res_size == pkt_item_len) + && (pkt_item_len <= res_item_size)); + /* Calculate the padding. No idea why there might be any padding.. */ pkt_padding = 0; - if (res_item_size > pkt_item_len) + if (pkt_item_len < res_item_size) pkt_padding = res_item_size - pkt_item_len; DEBUG ("res_item_size = %i; pkt_padding = %i;", res_item_size, pkt_padding); @@ -631,18 +646,26 @@ static int ntpd_receive_response (int req_code, int *res_items, int *res_size, (items_num + pkt_item_num) * res_item_size); items = realloc ((void *) *res_data, (items_num + pkt_item_num) * res_item_size); - items_num += pkt_item_num; if (items == NULL) { items = *res_data; ERROR ("ntpd plugin: realloc failed."); continue; } + items_num += pkt_item_num; *res_data = items; for (i = 0; i < pkt_item_num; i++) { + /* dst: There are already `*res_items' items with + * res_item_size bytes each in in `*res_data'. Set + * dst to the first byte after that. */ void *dst = (void *) (*res_data + ((*res_items) * res_item_size)); + /* src: We use `pkt_item_len' to calculate the offset + * from the beginning of the packet, because the + * items in the packet may be smaller than the + * items that were requested. We skip `i' such + * items. */ void *src = (void *) (((char *) res.data) + (i * pkt_item_len)); /* Set the padding to zeros */ @@ -650,8 +673,10 @@ static int ntpd_receive_response (int req_code, int *res_items, int *res_size, memset (dst, '\0', res_item_size); memcpy (dst, src, (size_t) pkt_item_len); + /* Increment `*res_items' by one, so `dst' will end up + * one further in the next round. */ (*res_items)++; - } + } /* for (pkt_item_num) */ pkt_recvd[pkt_sequence] = (char) 1; pkt_recvd_num++; @@ -661,7 +686,7 @@ static int ntpd_receive_response (int req_code, int *res_items, int *res_size, } /* while (done == 0) */ return (0); -} +} /* int ntpd_receive_response */ /* For a description of the arguments see `ntpd_do_query' below. */ static int ntpd_send_request (int req_code, int req_items, int req_size, char *req_data)