[rrd-developers] segfaulting bug in rrdtool/rrdcached

Tobias Oetiker tobi at oetiker.ch
Mon Jan 16 12:00:03 CET 2012

Hi James,

thanks for your patch, added in r2251

Dec 27 James Brown wrote:

> There's a bug in the current HEAD of rrdtool (and I suppose going back to
> mid-2007, from the svn blame output) which causes it to segfault if you
> point it at an rrdcached socket which isn't writable. I've attached a patch
> against trunk, and reproduction steps are below:
> cd ~
> mkdir rrds/
> rrdtool create rrds/test.rrd DS:data:GAUGE:360:U:U RRA:MAX:0.5:1:120 -s 1
> rrdtool update rrds/test.rrd N:0
> rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s)
> DEF:ds0=$HOME/rrds/test.rrd:data:MAX XPORT:ds0     *(this one should work)*
> rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s) --daemon
> $HOME/this_path_does_not_exist.sock DEF:ds0=$HOME/rrds/test.rrd:data:MAX
> XPORT:ds0    *(this one should segfault)*
> rrdtool is assuming that rrd_xport will always return -1 on failure;
> however, rrd_xport returns errno (which is, generally, not -1) if
> rrd_client fails. I figured it was easier to change rrdtool than to change
> everything in rrd_client. For good measure, I also changed the checks on
> the calls to rrd_fetch and rrd_graph. I'm not sure if they're susceptible
> to the same problem, but, well, better to check for the one thing you do
> what you want than to enumerate all the possible things you don't want.
> This segfault is caused by an uninitialized variable use (in particular,
> legend_v and col_cnt end up being used and passed to printf uninitialized).
> Nothing offhand jumped out at me as easily-exploitable to do code
> injection, but I only spent five or so minutes looking at it, so there very
> well may be a security problem hiding behind this.
> Cheers,

Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900

More information about the rrd-developers mailing list