[rrd-developers] Bug#573638: rrdtool: rrdcgi crashes at printlasttime()

Sebastian Harl tokkee at debian.org
Sun Mar 14 14:16:14 CET 2010 

Hi Robert,

On Thu, Mar 11, 2010 at 01:34:01PM +0100, Robert Luberda wrote:
> iptotal.cgi (from the iptotal package) contains the following line
> <RRD::TIME::LAST /var/lib/iptotal/iptotal.rrd %c>
> which causes rrdcgi to crash with the following backtrace:
> 
> (gdb) bt
> #0  strlen () at ../sysdeps/i386/i486/strlen.S:40
> #1  0xb73a681e in _IO_vfprintf_internal (s=0xbfa4086c,
>     format=0xb781edd0 "Usage: rrdtool %s [--daemon <addr>] <file>",
> ap=0xbfa40988 "\021\001\202ˇ")
>     at vfprintf.c:1601
> #2  0xb73c56b4 in _IO_vsnprintf (string=0xb78269c0 "Usage: rrdtool ",
> maxlen=4096,
>     format=0xb781edd0 "Usage: rrdtool %s [--daemon <addr>] <file>",
> args=0xbfa40984 "\211")
>     at vsnprintf.c:120
> #3  0xb78140c4 in rrd_set_error () from /usr/lib/librrd.so.4
> #4  0xb7805be4 in rrd_last () from /usr/lib/librrd.so.4
> #5  0x0804b211 in printtimelast ()
> #6  0x0804aa83 in ?? ()
> #7  0x0804c265 in ?? ()
> #8  0xb737bb55 in __libc_start_main (main=0x804bf70, argc=2,
> ubp_av=0xbfa40bb4, init=0x804c5c0,
>     fini=0x804c5b0, rtld_fini=0xb78629b0 <_dl_fini>,
> stack_end=0xbfa40bac) at libc-start.c:222

Thanks for reporting this!

> Afer some investigation, I found that the problem is in the line 991 
> of rrd_cgi.c:
> 
>   last = rrd_last(argc + 1, (char **) args - 1);
> 
> The first argument of rrd_last() should obviously be argc (which is 2),
> not argc + 1.  Also please note that second argument of the function
> refers to address before the start of the array, which seems to 
> be a very bad programming style, and which in fact is a root cause of the 
> crash as rrd_last() tries to display argv[0] in an error message.

Ouch! What an ugly hack …

> The attached patch fixes the problem.

Thanks for tracing that back and providing a patch! Imho, the patch
looks fine. With this E-mail, I'm forwarding the issue and the patch
upstream, hoping for inclusion in the upstream SVN. I'll upload a fixed
package to Debian soonish.

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rrd_cgi.patch
Type: text/x-diff
Size: 589 bytes
Desc: not available
Url : http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20100314/6057d1db/attachment-0001.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20100314/6057d1db/attachment-0001.pgp

More information about the rrd-developers mailing list