Ubuntu
xymon package

buffer overflow detected for /usr/lib/hobbit/server/bin/bb-rep.cgi terminated

Bug #707393 reported by Brent Clark
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xymon (Ubuntu)
Opinion
Undecided
Unassigned

Bug Description

Binary package hint: xymon

To whom it may concern

There appears to be a bug with Xymon's Availability report. I started doing straces and the I found

14:29:39.537196 mkdir("/usr/lib/hobbit/server/www/rep/3755-1295958579", 0755) = 0 <0.000080>
14:29:39.537344 open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address) <0.000022>
14:29:39.537417 writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"/usr/lib/hobbit/server/bin/bb-re"..., 37}, {" terminated\n", 12}], 5) = 83 <0.000028>

When I got the strace I start Googling the problem, it appears to be a known / common problem

http://comments.gmane.org/gmane.comp.monitoring.hobbit/23117
http://www.xymon.com/archive/2009/07/msg00369.html
http://www.xymon.com/archive/2010/03/msg00150.html

Below is the output in /var/log/hobbit/cgierror.log
-------------------------------------------------------------
*** buffer overflow detected ***: /usr/lib/hobbit/server/bin/bb-rep.cgi terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7ff427b13217]
/lib/libc.so.6(+0xfe0d0)[0x7ff427b120d0]
/lib/libc.so.6(+0xfd539)[0x7ff427b11539]
/lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7ff427a89d1c]
/lib/libc.so.6(_IO_vfprintf+0xf3e)[0x7ff427a5a2de]
/lib/libc.so.6(__vsprintf_chk+0x99)[0x7ff427b115d9]
/lib/libc.so.6(__sprintf_chk+0x7f)[0x7ff427b1151f]
/usr/lib/hobbit/server/bin/bb-rep.cgi[0x403226]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ff427a32c4d]
/usr/lib/hobbit/server/bin/bb-rep.cgi[0x4025e9]
======= Memory map: ========
00400000-0041b000 r-xp 00000000 fb:00 269547 /usr/lib/hobbit/server/bin/bb-rep.cgi
0061a000-0061b000 r--p 0001a000 fb:00 269547 /usr/lib/hobbit/server/bin/bb-rep.cgi
0061b000-0061c000 rw-p 0001b000 fb:00 269547 /usr/lib/hobbit/server/bin/bb-rep.cgi
0061c000-0061d000 rw-p 00000000 00:00 0
00e81000-00ea2000 rw-p 00000000 00:00 0 [heap]
7ff4275e0000-7ff4275f6000 r-xp 00000000 fb:00 4008 /lib/libgcc_s.so.1
7ff4275f6000-7ff4277f5000 ---p 00016000 fb:00 4008 /lib/libgcc_s.so.1
7ff4277f5000-7ff4277f6000 r--p 00015000 fb:00 4008 /lib/libgcc_s.so.1
7ff4277f6000-7ff4277f7000 rw-p 00016000 fb:00 4008 /lib/libgcc_s.so.1
7ff4277f7000-7ff42780f000 r-xp 00000000 fb:00 430 /lib/libpthread-2.11.1.so
7ff42780f000-7ff427a0e000 ---p 00018000 fb:00 430 /lib/libpthread-2.11.1.so
7ff427a0e000-7ff427a0f000 r--p 00017000 fb:00 430 /lib/libpthread-2.11.1.so
7ff427a0f000-7ff427a10000 rw-p 00018000 fb:00 430 /lib/libpthread-2.11.1.so
7ff427a10000-7ff427a14000 rw-p 00000000 00:00 0
7ff427a14000-7ff427b8e000 r-xp 00000000 fb:00 432 /lib/libc-2.11.1.so
7ff427b8e000-7ff427d8d000 ---p 0017a000 fb:00 432 /lib/libc-2.11.1.so
7ff427d8d000-7ff427d91000 r--p 00179000 fb:00 432 /lib/libc-2.11.1.so
7ff427d91000-7ff427d92000 rw-p 0017d000 fb:00 432 /lib/libc-2.11.1.so
7ff427d92000-7ff427d97000 rw-p 00000000 00:00 0
7ff427d97000-7ff427d9e000 r-xp 00000000 fb:00 420 /lib/librt-2.11.1.so
7ff427d9e000-7ff427f9d000 ---p 00007000 fb:00 420 /lib/librt-2.11.1.so
7ff427f9d000-7ff427f9e000 r--p 00006000 fb:00 420 /lib/librt-2.11.1.so
7ff427f9e000-7ff427f9f000 rw-p 00007000 fb:00 420 /lib/librt-2.11.1.so
7ff427f9f000-7ff427fcc000 r-xp 00000000 fb:00 4016 /lib/libpcre.so.3.12.1
7ff427fcc000-7ff4281cb000 ---p 0002d000 fb:00 4016 /lib/libpcre.so.3.12.1
7ff4281cb000-7ff4281cc000 r--p 0002c000 fb:00 4016 /lib/libpcre.so.3.12.1
7ff4281cc000-7ff4281cd000 rw-p 0002d000 fb:00 4016 /lib/libpcre.so.3.12.1
7ff4281cd000-7ff4281ed000 r-xp 00000000 fb:00 417 /lib/ld-2.11.1.so
7ff4283de000-7ff4283e2000 rw-p 00000000 00:00 0
7ff4283e9000-7ff4283ec000 rw-p 00000000 00:00 0
7ff4283ec000-7ff4283ed000 r--p 0001f000 fb:00 417 /lib/ld-2.11.1.so
7ff4283ed000-7ff4283ee000 rw-p 00020000 fb:00 417 /lib/ld-2.11.1.so
7ff4283ee000-7ff4283ef000 rw-p 00000000 00:00 0
7fff294db000-7fff294f0000 rw-p 00000000 00:00 0 [stack]
7fff295e8000-7fff295e9000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: xymon (not installed)
ProcVersionSignature: Ubuntu 2.6.35-25.43-generic 2.6.35.10
Uname: Linux 2.6.35-25-generic i686
NonfreeKernelModules: nvidia
Architecture: i386
Date: Tue Jan 25 14:56:07 2011
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
 LANG=en_ZA.utf8
 SHELL=/bin/bash
SourcePackage: xymon

Revision history for this message
Rolf Biesbroek (r-biesbroek) wrote :

After debugging together with some colleagues, I found a solution for this problem.

In the source code of report.c and snapshot.c (in the map ./web) there is a declaration in the main function: "char htmldelim[20];". In the same main function we can find: " sprintf(htmldelim, "xymonrep-%u-%u", (int)getpid(), (unsigned int)getcurrenttime(NULL));"

Because the size of "char htmldelim[20];" is not sufficient enough this process will crash. I changed this char value into 100 and after a "make && make install" command the issue seems to be resolved!

Kind Regards,

Rolf Biesbroek
University Twente

Rolf Biesbroek (r-biesbroek)
Changed in xymon (Ubuntu):
status: New → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.