[ZBX-1050] Some windows eventlog messages cause zabbix agent to crash at 'FormatMessage()'. Created: 2009 Sep 22  Updated: 2017 May 30  Resolved: 2009 Sep 23

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 1.6
Fix Version/s: 1.6.6, 1.9.0 (alpha)

Type: Incident report Priority: Critical
Reporter: Takanori Suzuki Assignee: Alexander Vladishev
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows(XP, 2003), Zabbix Agent 1.6.6 from ZABBIX SIA.

Attachments: File zabbix-1.6.6-eventlog_formatmessage_crash.patch    

 Description   

Some windows eventlog messages cause zabbix agent to crash at 'FormatMessage()'.

If 'hLib' has arguments more than the number of array of 'aInsertStrs', zabbix will crash at 'FormatMessage()'.
But, zabbix restricts the number of array of 'aInsertStrs' to less than 'MAX_INSERT_STRS'.
In zabbix 1.6.6, 'MAX_INSERT_STRS' is 64.
So, if 'hLib' has arguments more than 64, it will crash.
> for (
> i = 0, pCh = (char *)((LPBYTE)pELR + pELR->StringOffset);
> i < pELR->NumStrings && i < MAX_INSERT_STRS;
> i++, pCh += strlen(pCh) + 1) /* point to next string */
>

{ > aInsertStrs[i] = pCh; > }

Most of eventlog don't have arguments more than 64.
But, some eventlogs have.
Actually, I found this problem at SAP eventlog which has arguments more than 64.
I cannot attach the dll, but it is easy to reproduce same crash situation by setting MAX_INSERT_STRS as small number, like 1, 2 or 3.

 Comments   
Comment by Alexei Vladishev [ 2009 Sep 22 ]

Thanks for reporting this!

It is very likely that the problem exists. We need some time to confirm it.

Alexei

Comment by Takanori Suzuki [ 2009 Sep 22 ]

solution:
FormatMessage() can treat 'hLib' arguments from 1 through 99.
So, I changed the setting 'MAX_INSERT_STRS' as 100.
I'll atatch the patch "zabbix-1.6.6-eventlog_formatmessage_crash.patch".
I checked it works good with the SAP eventlog.

reference:
http://msdn.microsoft.com/en-us/library/ms679351%28VS.85%29.aspx
At "%n!format string!", there is following message.
"The value of n can be in the range from 1 through 99."

Comment by Takanori Suzuki [ 2009 Sep 22 ]

Thank you Alexei.

I forgot to report where the crash occuers on source code.
It occuers at src/zabbix_agent/eventlog.c:219

Comment by Alexander Vladishev [ 2009 Sep 23 ]

Fixed in 1.6 (pre1.6.7) and trunk branches, revision 7958.

Comment by richlv [ 2009 Nov 10 ]

close old, resolved issues

Generated at Thu Apr 25 09:34:34 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.