search

Icinga / icinga2

The core of our monitoring platform with a powerful configuration language and REST API.
https://icinga.com/docs/icinga2/latest
GNU General Public License v2.0
2k stars 574 forks source link

Downtime::AddDowntime(): NULL-check pointer before deref not to crash #10049

Closed Al2Klimov closed 5 months ago

Al2Klimov commented 5 months ago

The method already checks whether triggeredBy is empty before GetByName(triggeredBy). But a non-empty string doesn't necessarily name an existing Downtime. I.e. the pointer from GetByName(triggeredBy) must be NULL-checked.

ref/IP/46868

(gdb) frame 7
#7  icinga::Downtime::AddDowntime (checkable=..., author=..., comment=...,
    startTime=1713696054, endTime=1713699654, fixed=<optimized out>,
    triggeredBy=..., duration=3600, scheduledDowntime=..., scheduledBy=...,
    parent=..., id=..., origin=...)
    at /usr/src/debug/icinga2-2.14.0-1.el8.x86_64/lib/icinga/downtime.cpp:331
331         Array::Ptr triggers = parentDowntime->GetTriggers();
(gdb) p parentDowntime
$1 = {px = 0x0}
(gdb)

CC @tbauriedel

Edit

Btw. complain on such bad input via API.

tbauriedel commented 5 months ago

ref/NC/789598

Al2Klimov commented 5 months ago 
> POST /v1/actions/schedule-downtime HTTP/1.1
> Host: 127.0.0.1:5665
> Authorization: Basic cm9vdDoxMjM0NTY=
> User-Agent: curl/8.4.0
> Accept: application/json
> Content-Length: 147
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 404 Not Found
< Server: Icinga/v2.14.0-158-g5ba652af9
< Content-Type: application/json
< Content-Length: 937
<
* Connection #0 to host 127.0.0.1 left intact
{"results":[{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."},{"code":404,"status":"Won't schedule downtime with non-existent trigger downtime."}]}

👍