[mrtg-developers] Buffer overflow in rateup

Ulf Härnhammar Ulf.Harnhammar.9485 at student.uu.se
Thu Aug 26 21:13:51 MEST 2004

I have discovered a potential crash bug in MRTG. The rateup
program doesn't handle really malformed log files very well. It
has an fscanf() call with two "%s" format strings that store data
of arbitrary length to char name[MAXL] arrays. This causes a crash
if the string fields in the log file are longer than that.

Despite being a buffer overflow, this is probably not a security
problem, as outsiders can't run rateup with long enough values as
far as I know. Nevertheless, I think this bug is worth fixing,
as the Right Thing for a program should be not to assume anything
about its input and to handle various problems well.

I have attached a log file that causes this problem, as well as a
patch against MRTG-2.10.15.

// Ulf Harnhammar

-- Attached file removed by Ecartis and put at URL below --
-- Type: application/octet-stream
-- Size: 604 bytes
-- URL : http://www.ee.ethz.ch/~slist/p/crash.log

-- Attached file removed by Ecartis and put at URL below --
-- Type: text/plain
-- Size: 650 bytes
-- URL : http://www.ee.ethz.ch/~slist/p/mrtg.patch

Unsubscribe mailto:mrtg-developers-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:mrtg-developers-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/mrtg-developers

More information about the mrtg-developers mailing list