[collectd] A couple of collectd crashes

Dan Fandrich dan at coneharvesters.com
Tue Feb 5 00:02:17 CET 2013 

I managed to get collectd to segfault in a couple of places while playing
with it a bit. The first is in the curl_xml module when the XPATH expression
doesn't quite match the input. The crash occurs on line 407 when
instance_node->nodeTab[0] is dereferenced. At this point, all members of
instance_node are 0, so dereferencing the array isn't a good idea. This patch
fixes the problem, although I'm not sure if this particular case actually
deserves its own error message:

diff --git a/src/curl_xml.c b/src/curl_xml.c
index 2a36608..2b1d247 100644
--- a/src/curl_xml.c
+++ b/src/curl_xml.c
@@ -385,7 +385,7 @@ static int cx_handle_instance_xpath (xmlXPathContextPtr xpath_ctx, /* {{{ */
     instance_node = instance_node_obj->nodesetval;
     tmp_size = (instance_node) ? instance_node->nodeNr : 0;
 
-    if ( (tmp_size == 0) && (is_table) )
+    if (tmp_size == 0)
     {
       WARNING ("curl_xml plugin: "
           "relative xpath expression for 'InstanceFrom' \"%s\" doesn't match "

The second problem occurred once in stop_write_threads() during shutdown, in this
loop:

	for (q = write_queue_head; q != NULL; q = q->next)
	{
		plugin_value_list_free (q->vl);
		sfree (q);
		i++;
	}

Once q has been freed by sfree(), it's no longer safe to dereference in the
for statement. I'm attaching a fix for that.

On a side note, the check for NULL in sfree() isn't actually necessary--ANSI C
specifies that free() must be safe when given a NULL pointer.

>>> Dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-a-NULL-pointer-dereference-during-shutdown.patch
Type: text/x-diff
Size: 781 bytes
Desc: not available
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20130205/5e7b7336/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 308 bytes
Desc: not available
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20130205/5e7b7336/attachment.pgp>

More information about the collectd mailing list