Skip to content

Fix memory corruption in mkstr caused by integer overflow#527

Merged
nook24 merged 2 commits intomasterfrom
remove_tv_str_light
Mar 18, 2026
Merged

Fix memory corruption in mkstr caused by integer overflow#527
nook24 merged 2 commits intomasterfrom
remove_tv_str_light

Conversation

@nook24
Copy link
Copy Markdown
Member

@nook24 nook24 commented Mar 17, 2026

We have noticed random segfaults on one of our systems during the creating of status.dat.
Since Naemon 1.5.0, tv_str is called in the For-loop for each host and service status object, which will increase the counter of slot by one each time. After 2.147.483.647 the integer will flip into -2.147.483.648 and modulo of a negativ dividend will result in a negativ value in C (and PHP, Go JavaScript).
When reading buf[-2147468803] whatever is at this address will be overwritten.

This is a stripped down version of #526 which will keep the tv_str method as the issue was within the underlying mkstr.

Some thoughts and discoveries:
I would suggest to replace tv_str with a version which will not depend on a rolling buffer like so

/* format duration seconds into human readable string */
void tv_str_r(const struct timeval *tv, char *buf, size_t buflen) {
    snprintf(buf, buflen, "%lu.%06lu", (unsigned long)tv->tv_sec, (unsigned long)tv->tv_usec);
}
char buf[32];
tv_str_r(&tv, buf, sizeof(buf));
printf("Time: %s\n", buf);
/* No free required if the buffer is allocated by the caller on the stack */

Also fprintf can do this as well

// The (unsigned long) cast is so we don't have to worry about 32 vs 64 bit time_t.
fprintf(fp, "\tlast_update=%lu.%06lu\n", (unsigned long)temp_service->last_update.tv_sec, (unsigned long)temp_service->last_update.tv_usec);

In addition, mkstr is not thread-safe which is irrelevant for Naemon, but could be relevant when a broker module with threads is the caller. To resolve this, we could use the __thread keyword like so

#define MKSTR_BUFS 256 /* should be plenty */
const char *mkstr(const char *fmt, ...)
{
	static __thread char buf[MKSTR_BUFS][32]; /* 8k statically on the stack */
	static __thread unsigned int slot = 0;
	char *ret;

	va_list ap;
	va_start(ap, fmt);
	ret = buf[slot++ % MKSTR_BUFS];
	vsnprintf(ret, sizeof(buf[0]), fmt, ap);
	va_end(ap);
	return ret;
}

In this case, we have to link pthread as well in the Makefile.am
For all binaries

LDADD = libnaemon.la $(GLIB_LIBS) -lm -ldl -lpthread

Or only for Naemon

src_naemon_naemon_LDFLAGS = -rdynamic -lpthread

@nook24
Fix memory corruption in mkstr caused by integer overflow
c25d5d3 
The static 'slot' variable in mkstr() was previously a signed 32-bit
integer. On high-load systems (e.g., during status data dumps), this
counter could overflow, becoming negative.

In C, a negative dividend with the modulo operator (slot % 256) results
in a negative index. This caused the 'ret' pointer to point to memory
addresses BEFORE the actual buffer. In our case, this led to a SIGSEGV
because a timestamp string was written directly over the 'contact_list'
pointer, which happened to be located in that memory region.

Changes:
- Changed 'slot' from signed int to unsigned int (uint) to ensure
  the modulo result is always positive and within buffer bounds.
- This ensures that upon reaching UINT_MAX, the counter wraps
  safely back to zero.

Signed-off-by: nook24 <d.ziegler@avendis.com>
@nook24 nook24 mentioned this pull request Mar 17, 2026
Closed
@nook24
refactor: improve portability of timeval string formatting
6a22f40 
Cast tv_sec to long long and tv_usec to long to ensure consistent
behavior across 32-bit and 64-bit architectures and avoid format
string warnings/mismatches.

Signed-off-by: nook24 <d.ziegler@avendis.com>
@nook24 nook24 merged commit d87448d into master Mar 18, 2026
33 checks passed
@nook24 nook24 mentioned this pull request Mar 19, 2026
Merged
@nook24 nook24 deleted the remove_tv_str_light branch March 23, 2026 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sni sni sni approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nook24 @sni