buffer overflow in global_ctx

lines 27 and 28 of rrd_not_thread_safe.c are the wrong way round.  as a
result, global_ctx->rrd_error points to a 256 byte buffer, while
global_ctx->len claims it's 4096 bytes.

this means a long enough error message can lead to a buffer overflow in
rrd_set_error().

the attached patch (against the SVN snapshot) fixes this.

--matt


--
Matthew Boyle
Junior Systems Administrator
DecisionSoft Limited                        http://www.decisionsoft.com

--- rrdtool-1.2.99908020600/src/rrd_not_thread_safe.c   2008-04-08 23:00:54.000000000 +0100
+++ rrdtool-1.2.99908020600-modified/src/rrd_not_thread_safe.c  2008-04-10 10:53:17.655432570 +0100
@@ -24,8 +24,8 @@
 static struct rrd_context global_ctx = {
     MAXLEN,
     ERRBUFLEN,
+    rrd_liberror,
     rrd_error,
-    rrd_liberror
 };
 
 /* #include <stdarg.h> */


_______________________________________________
rrd-developers mailing list
rrd-developers@...
https://lists.oetiker.ch/cgi-bin/listinfo/rrd-developers

Hi Matthew,

hmm .. at least in svn the code is in sync ... it was fixed in

r1391 | oetiker | 2008-06-01 22:31:12 +0200 (Sun, 01 Jun 2008) | 2 lines

fliped order of rrd_context entries to match up with what is
defined in rrd.h (based on debian bug 450578)




Apr 10 Matthew Boyle wrote:

--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi@... ++41 62 775 9902 / sb: -9900

_______________________________________________
rrd-developers mailing list
rrd-developers@...
https://lists.oetiker.ch/cgi-bin/listinfo/rrd-developers