Skip to content
Commits on Source (10)
Show whitespace changes
Inline Side-by-side
CHANGELOG.md
View file @ d49d4cf9
NRPE Changelog
==============
[4.0.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.0) - 2019-01-13
---------------------------------------------------------------------------------------
Note: This update includes security fixes which affect both the check_nrpe plugin and
the NRPE daemon. The latest version of NRPE is still able to interoperate with previous
versions, but for best results, both programs should be updated.
**ENHANCEMENTS**
* Added TLSv1.3 and TLSv1.3+ support for systems that have it (Nigel Yong, Rahul Golam)
* Added IPv6 ip address to list of default allow_from hosts (Troy Lea)
* Added -D option to disable logging to syslog (Tom Griep, Sebastian Wolf)
* Added -3 option to force check_nrpe to use NRPE v3 packets
* OpenRC: provide a default path for nrpe.cfg (Michael Orlitzky)
* OpenRC: Use RC_SVCNAME over a hard-coded PID file (j-licht)
**FIXES**
* Checks for '!' now only occur inside the command buffer (Joni Eskelinen)
* NRPE daemon is more resilient to DOS attacks (Leonid Vasiliev)
* allowed_hosts will no longer test getaddrinfo records against the wrong protocol (dombenson)
* nasty_metachars will now handle C escape sequences properly when specified in the config file (Sebastian Wolf)
* Calculated packet sizes now struct padding/alignment when sending and receiving messages (Sebastian Wolf)
* Buffer sizes are now checked before use in packet size calculation (Sebastian Wolf)
* When using `include_dir`, individual files' errors do not prevent the remaining files from being read (Sebastian Wolf)
[3.2.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.2.1) - 2017-08-31
---------------------------------------------------------------------------------------
**FIXES**
......
CONTRIBUTING.md 0 → 100644
View file @ d49d4cf9
# Contributing
Thank you for considering contributing your time and effort to this Nagios project.
This document serves as our guidelines for contribution. Keep in mind that these
are simply *guidelines* - nothing here is set in stone.
## Questions
If you have a question, you don't need to file an Issue. You can simply connect
with the Nagios Support Team via the
[Nagios Support Forum](https://support.nagios.com/forum/).
Not to say that you **can't** open an Issue - but you'll likely get a much faster
response by posting it on the forum.
## Ideas
If you have an idea your best bet is to open an Issue. This gets it on the radar much
quicker than any other method.
First, let's define what an "Idea" really is. An Idea is simply an
[Enhancement](#enhancements) request in its infancy.
There's really nothing to it!
Something as simple as "I think that this project should somehow connect with a
widget" is a valid Idea.
These are unrefined and raw. That's why you open an issue - so everyone gets a chance
to chime in and come up with a plan!
## Feedback
Feedback can be given via several methods. The *easiest* method is by opening an Issue.
You're more than welcome to leave feedback on the
[Nagios Support Forum](https://support.nagios.com/forum/) as well.
By opening an Issue, however, you're insuring that the maintainers and reviewers are
the first ones to see the feedback. In most cases, this is likely ideal.
## Bugs
Here's where it starts to get serious.
Following the guidelines outlined in this section allows the maintainers, developers, and
community to understand and reproduce your bug report.
Make sure to search existing open and closed [Issues](https://guides.github.com/features/issues/)
before opening a bug report. If you find a closed Issue that seems like it's the same
thing that you're experiencing, open a new Issue and include a link to the original Issue
in the body of the new one.
**If you have a bug, you *NEED* to open an Issue.**
Not only that, but when you open the Issue, this is what we ***absolutely require***:
* Use a clear and concise title for the Issue to identify the problem accurately
* Describe the bug with as much detail as you can
* Include the version of the project containing the bug you're reporting
* Include your operating system information (`uname -a`)
* Include a list of third party modules that are installed and/or loaded
* Explain the behavior you expected to see (and why) vs. what actually happened
Once you've got that covered - there's still more to include if you want to
make a ***killer*** report:
* Describe the ***exact steps*** that reproduce the problem
* Provide **specific** examples to demonstrate those steps
* If your bug is from an older version, make sure test against the latest (and/or the `maint` branch)
* Include any screenshots that can help explain the issue
* Include a file containing `strace` and/or `valgrind` output
* Explain when the problem started happening: was it after an upgrade? or was it always present?
* Define how reliably you can reproduce the bug
* Any other information that you decide is relevant is also welcome
## Enhancements
An enhancement is either a completely new feature or an improvement to existing
functionality. We consider it to be a bit different than idea - based solely
on the fact that it's more detailed than an idea would be.
So you've got an idea for an ehancement? Great!
Following the guidelines outlined in this section allows maintainers, developers, and
the community to understand your enhancement and determine whether or not it's worth
doing and/or what's involved in carrying it out.
Make sure to search open and closed Issues and Pull Requests to determine if
someone has either submitted the enhancement. If you feel like your enhancement
is similar to one found, make sure to link the original in your request.
Enhancements are submitted by opening an Issue.
Unlike an [Idea](#idea), when you decide to submit your enhancement and open
the Issue, we require at least the following information:
* Use a clear and descriptive title to illustrate the enhancement you're requesting
* Describe the current behavior (if it exists) and what changes you think should be made
* Explain the enhancement in detail - make sure it makes sense and is easily understandable
* Specify why the enhancement would be useful and who it would be useful to
* If there is some other project or program where this enhancement already exists, make sure
to link to it
Beyond that, there are a few more things you can do to make sure you **really** get your
point across:
* Create a mockup of the enhancement (if applicable) and attach whatever files you can
* Provide a step-by-step description of the suggested enhancement
* Generate a fully dressed use-case for the enhancement request
* Create a specification for the preferred implementation of the enhancement
* Include a timeline regarding development expectations towards the request
## Submitting Code
Everything else in this document has lead up to this moment - how can ***you*** submit
code to the **project**.
We allow code submissions via [Pull Requests](https://help.github.com/articles/about-pull-requests/).
These let you (and us) discuss and review any changes to code in any repository you've made.
How to create and manage Pull Requests is outside of the scope of this document, but make
sure to check out GitHub's official documentation ([link here](https://help.github.com/))
to get a handle on it.
While you're forking the repository to create a patch or an enhancement, create a *new
branch* to make the change - it will be easier to submit a pull request using a new
branch in your forked repository!
When you submit a Pull Request, make sure you follow the guidelines:
* Make sure you're submitting to the proper branch. Branch `maint` is used for the
**next** bugfix release. The next enhancement release branch will vary.
* ***NEVER*** submit a Pull Request to `master` branch.
* Keep commit messages as concise as possible.
* Update the appropriate files in regards to your changes:
* `CHANGES`
* `THANKS`
* End all committed files with a newline.
* Test your changes and include the results as a comment.
\ No newline at end of file
configure
View file @ d49d4cf9
......@@ -2487,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe
PKG_VERSION="3.2.1"
PKG_VERSION="4.0.0"
PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-09-01"
PKG_REL_DATE="2020-01-15"
RPM_RELEASE=1
LANG=C
......
configure.ac
View file @ d49d4cf9
......@@ -11,9 +11,9 @@ AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe
PKG_VERSION="3.2.1"
PKG_VERSION="4.0.0"
PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-09-01"
PKG_REL_DATE="2020-01-15"
RPM_RELEASE=1
LANG=C
......
debian/changelog
View file @ d49d4cf9
nagios-nrpe (3.2.1-4) UNRELEASED; urgency=medium
nagios-nrpe (4.0.0-1) unstable; urgency=medium
* Move from experimental to unstable.
-- Bas Couwenberg <sebastic@debian.org> Thu, 16 Jan 2020 08:09:17 +0100
nagios-nrpe (4.0.0-1~exp1) experimental; urgency=medium
[ Bas Couwenberg ]
* New upstream release.
* Bump Standards-Version to 4.4.1, no changes.
* Refresh patches.
* Use single tab for dh command in rules.
* Drop --parallel dh argument, used by default with compat 10.
[ Debian Janitor ]
* Bump debhelper from old 9 to 10.
......@@ -9,7 +19,7 @@ nagios-nrpe (3.2.1-4) UNRELEASED; urgency=medium
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
-- Bas Couwenberg <sebastic@debian.org> Mon, 30 Sep 2019 20:08:13 +0200
-- Bas Couwenberg <sebastic@debian.org> Thu, 16 Jan 2020 06:07:37 +0100
nagios-nrpe (3.2.1-3) unstable; urgency=medium
......
debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
View file @ d49d4cf9
......@@ -5,7 +5,7 @@ Forwarded: not-needed
--- a/sample-config/nrpe.cfg.in
+++ b/sample-config/nrpe.cfg.in
@@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/
@@ -361,3 +361,16 @@ command[check_total_procs]=@pluginsdir@/
#include_dir=<somedirectory>
#include_dir=<someotherdirectory>
......
debian/rules
View file @ d49d4cf9
......@@ -11,7 +11,7 @@ CFLAGS += $(CPPFLAGS)
export AUTOHEADER=true
%:
dh $@ --with systemd --parallel
dh $@ --with systemd
override_dh_auto_configure:
dh_auto_configure -- \
......
docs/NRPE.odt
View file @ d49d4cf9
No preview for this file type
docs/NRPE.pdf
View file @ d49d4cf9
No preview for this file type
include/common.h.in
View file @ d49d4cf9
......@@ -37,8 +37,8 @@
# endif
#endif
#define PROGRAM_VERSION "3.2.1"
#define MODIFICATION_DATE "2017-09-01"
#define PROGRAM_VERSION "4.0.0"
#define MODIFICATION_DATE "2020-01-15"
#define OK 0
#define ERROR -1
......@@ -66,12 +66,23 @@
#define QUERY_PACKET 1 /* id code for a packet containing a query */
#define RESPONSE_PACKET 2 /* id code for a packet containing a response */
#define NRPE_PACKET_VERSION_3 3 /* packet version identifier */
/* v4 takes struct padding into account, so the buffer "takes" 4 bytes
* v3 removes the 1 byte that "should" be allocated to buffer.
*/
#define NRPE_V4_PACKET_SIZE_OFFSET 4
#define NRPE_V3_PACKET_SIZE_OFFSET 1
/* packet version identifiers */
#define NRPE_PACKET_VERSION_4 4 /* Same as version 3, but accounts for struct padding in network code */
#define NRPE_PACKET_VERSION_3 3 /* Allows for variable-length buffer */
#define NRPE_PACKET_VERSION_2 2
#define NRPE_PACKET_VERSION_1 1 /* older packet version identifiers (no longer supported) */
#define MAX_PACKETBUFFER_LENGTH 1024 /* amount of data to send in one query/response vor version 2 */
#define NRPE_DEFAULT_PACKET_VERSION NRPE_PACKET_VERSION_4
typedef struct _v2_packet {
int16_t packet_version;
int16_t packet_type;
......@@ -89,6 +100,8 @@ typedef struct _v3_packet {
char buffer[1];
} v3_packet;
typedef v3_packet v4_packet;
/**************** OPERATING SYSTEM SPECIFIC DEFINITIONS **********/
#if defined(__sun) || defined(__hpux)
......
include/nrpe.h
View file @ d49d4cf9
......@@ -24,6 +24,8 @@
*
****************************************************************************/
#include <limits.h>
typedef struct command_struct {
char *command_name;
char *command_line;
......
include/utils.h
View file @ d49d4cf9
......@@ -49,5 +49,6 @@ void open_log_file();
void logit(int priority, const char *format, ...);
void close_log_file();
void display_license(void);
extern int disable_syslog;
#endif
nrpe.spec.in
View file @ d49d4cf9
......@@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@
%define version 3.2.1
%define version 4.0.0
%define release @RPM_RELEASE@
%define nsusr @nrpe_user@
%define nsgrp @nrpe_group@
......
sample-config/nrpe.cfg.in
View file @ d49d4cf9
......@@ -270,7 +270,9 @@ connection_timeout=300
# nasty_metachars="|`&><'\\[]{};\r\n"
# This option allows you to enable or disable logging error messages to the syslog facilities.
# If this option is not set, the error messages will be logged.
disable_syslog=0
# COMMAND DEFINITIONS
# Command definitions that this daemon will run. Definitions
......
src/acl.c
View file @ d49d4cf9
......@@ -544,14 +544,14 @@ int is_an_allowed_host(int family, void *host)
if (!getaddrinfo(dns_acl_curr->domain, NULL, NULL, &res)) {
for (ai = res; ai; ai = ai->ai_next) {
if (ai->ai_family == family) {
switch (ai->ai_family) {
case AF_INET:
if (debug == TRUE) {
tmp.s_addr = ((struct in_addr *) host)->s_addr;
logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< "
"an allowed host >%s<\n",
logit(LOG_INFO, "is_an_allowed_host (AF_INET): test match host >%s< "
"for allowed host >%s<\n",
inet_ntoa(tmp), dns_acl_curr->domain);
}
......@@ -565,13 +565,27 @@ int is_an_allowed_host(int family, void *host)
break;
case AF_INET6:
if (debug == TRUE) {
char formattedStr[INET6_ADDRSTRLEN];
inet_ntop(ai->ai_family, (void *) &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr),
formattedStr, INET6_ADDRSTRLEN);
logit(LOG_INFO, "is_an_allowed_host (AF_INET6): test match host against >%s< "
"for allowed host >%s<\n",
formattedStr, dns_acl_curr->domain);
}
struct in6_addr *resolved = &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr);
memcpy((char *) &addr6, ai->ai_addr, sizeof(addr6));
if (!memcmp(&addr6.sin6_addr, &host, sizeof(addr6.sin6_addr)))
if (!memcmp(&addr6.sin6_addr, host, sizeof(addr6.sin6_addr))) {
if (debug == TRUE)
logit(LOG_INFO, "is_an_allowed_host (AF_INET6): "
"host is in allowed host list!");
return 1;
}
break;
}
}
}
}
dns_acl_curr = dns_acl_curr->next;
}
......
src/check_nrpe.c
View file @ d49d4cf9
......@@ -65,8 +65,9 @@ char query[MAX_INPUT_BUFFER] = "";
int show_help = FALSE;
int show_license = FALSE;
int show_version = FALSE;
int packet_ver = NRPE_PACKET_VERSION_3;
int packet_ver = NRPE_DEFAULT_PACKET_VERSION;
int force_v2_packet = 0;
int force_v3_packet = 0;
int payload_size = 0;
extern char *log_file;
......@@ -87,7 +88,7 @@ int use_ssl = FALSE;
/* SSL/TLS parameters */
typedef enum _SSL_VER {
SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
} SslVer;
typedef enum _CLNT_CERTS { Ask_For_Cert = 1, Require_Cert = 2 } ClntCerts;
......@@ -129,6 +130,8 @@ static int verify_callback(int ok, X509_STORE_CTX * ctx);
#endif
void alarm_handler(int);
int graceful_close(int, int);
int disable_syslog = FALSE;
int main(int argc, char **argv)
{
......@@ -175,7 +178,7 @@ int main(int argc, char **argv)
if (result == -1) {
/* Failure reading from remote, so try version 2 packet */
logit(LOG_INFO, "Remote %s does not support Version 3 Packets", rem_host);
logit(LOG_INFO, "Remote %s does not support version 3/4 packets", rem_host);
packet_ver = NRPE_PACKET_VERSION_2;
/* Rerun the setup */
......@@ -198,7 +201,7 @@ int main(int argc, char **argv)
}
if (result != -1 && force_v2_packet == 0 && packet_ver == NRPE_PACKET_VERSION_2)
logit(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver);
logit(LOG_DEBUG, "Remote %s accepted a version %d packet", rem_host, packet_ver);
close_log_file(); /* close the log file */
return result;
......@@ -224,6 +227,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
{"no-ssl", no_argument, 0, 'n'},
{"unknown-timeout", no_argument, 0, 'u'},
{"v2-packets-only", no_argument, 0, '2'},
{"v3-packets-only", no_argument, 0, '3'},
{"ipv4", no_argument, 0, '4'},
{"ipv6", no_argument, 0, '6'},
{"use-adh", required_argument, 0, 'd'},
......@@ -241,6 +245,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
{"license", no_argument, 0, 'l'},
{"version", no_argument, 0, 'V'},
{"stderr-to-stdout", no_argument, 0, 'E'},
{"disable-syslog", no_argument, 0, 'D'},
{0, 0, 0, 0}
};
#endif
......@@ -250,7 +255,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
return ERROR;
optind = 0;
snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:246hlnuVE");
snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:2346hlnuVED");
while (1) {
if (argindex > 0)
......@@ -366,14 +371,21 @@ int process_arguments(int argc, char **argv, int from_config_file)
break;
case '2':
if (from_config_file && packet_ver != NRPE_PACKET_VERSION_3) {
if (from_config_file && packet_ver != NRPE_DEFAULT_PACKET_VERSION) {
logit(LOG_WARNING, "WARNING: Command-line v2-packets-only (-2) overrides the config file option.");
break;
}
packet_ver = NRPE_PACKET_VERSION_2;
force_v2_packet = 1;
break;
case '3':
if (from_config_file && packet_ver != NRPE_DEFAULT_PACKET_VERSION) {
logit(LOG_WARNING, "Warning: Command-line v3-packets-only (-3) overrides the config file option.");
break;
}
packet_ver = NRPE_PACKET_VERSION_3;
force_v3_packet = 1;
break;
case '4':
if (from_config_file && address_family != AF_UNSPEC) {
logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) or ipv6 (-6) overrides the config file option.");
......@@ -432,7 +444,11 @@ int process_arguments(int argc, char **argv, int from_config_file)
break;
}
if (!strcmp(optarg, "TLSv1.2"))
if (!strcmp(optarg, "TLSv1.3"))
sslprm.ssl_proto_ver = TLSv1_3;
else if (!strcmp(optarg, "TLSv1.3+"))
sslprm.ssl_proto_ver = TLSv1_3_plus;
else if (!strcmp(optarg, "TLSv1.2"))
sslprm.ssl_proto_ver = TLSv1_2;
else if (!strcmp(optarg, "TLSv1.2+"))
sslprm.ssl_proto_ver = TLSv1_2_plus;
......@@ -485,6 +501,11 @@ int process_arguments(int argc, char **argv, int from_config_file)
open_log_file();
break;
case 'D':
disable_syslog = TRUE;
break;
default:
return ERROR;
}
......@@ -526,6 +547,11 @@ int process_arguments(int argc, char **argv, int from_config_file)
return ERROR;
}
if (force_v2_packet && force_v3_packet) {
printf("Error: Only one of force_v2_packet (-2) and force_v3_packet (-3) can be specified.\n");
return ERROR;
}
/* make sure required args were supplied */
if (server_name == NULL && show_help == FALSE && show_version == FALSE
&& show_license == FALSE)
......@@ -687,15 +713,16 @@ void usage(int result)
printf("SSL/TLS Available: OpenSSL 0.9.6 or higher required\n");
printf("\n");
#endif
printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n");
printf("Usage: check_nrpe -H <host> [-2] [-3] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n");
printf(" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n");
printf(" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n");
printf(" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n");
printf(" [-c <command>] [-E] [-a <arglist...>]\n");
printf(" [-c <command>] [-E] [-D] [-a <arglist...>]\n");
printf("\n");
printf("Options:\n");
printf(" -H, --host=HOST The address of the host running the NRPE daemon\n");
printf(" -2, --v2-packets-only Only use version 2 packets, not version 3\n");
printf(" -2, --v2-packets-only Only use version 2 packets, not version 3/4\n");
printf(" -3, --v3-packets-only Only use version 3 packets, not version 4\n");
printf(" -4, --ipv4 Bind to ipv4 only\n");
printf(" -6, --ipv6 Bind to ipv6 only\n");
printf(" -n, --no-ssl Do no use SSL\n");
......@@ -708,6 +735,7 @@ void usage(int result)
printf(" (This will be the default in a future release.)\n");
printf(" 1 Allow Anonymous Diffie Hellman (default)\n");
printf(" 2 Force Anonymous Diffie Hellman\n");
printf(" -D, --disable-syslog Disable logging to syslog facilities\n");
printf(" -P, --payload-size=SIZE Specify non-default payload size for NSClient++\n");
printf(" -S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:\n");
#if OPENSSL_VERSION_NUMBER < 0x10100000
......@@ -740,6 +768,7 @@ void usage(int result)
printf(" -a, --args=LIST Optional arguments that should be passed to the command,\n");
printf(" separated by a space. If provided, this must be the last\n");
printf(" option supplied on the command line.\n");
printf(" -e Enable syslog debug messages.\n");
printf("\n");
printf(" NEW TIMEOUT SYNTAX\n");
printf(" -t, --timeout=INTERVAL:STATE\n");
......@@ -811,6 +840,12 @@ void setup_ssl()
case TLSv1_2_plus:
val = "TLSv1_2_plus And Above";
break;
case TLSv1_3:
val = "TLSv1_3";
break;
case TLSv1_3_plus:
val = "TLSv1_3_plus And Above";
break;
default:
val = "INVALID VALUE!";
break;
......@@ -850,6 +885,10 @@ void setup_ssl()
# ifdef SSL_TXT_TLSV1_2
if (sslprm.ssl_proto_ver == TLSv1_2)
meth = TLSv1_2_client_method();
# ifdef SSL_TXT_TLSV1_3
if (sslprm.ssl_proto_ver == TLSv1_3)
meth = TLSv1_3_client_method();
# endif /* ifdef SSL_TXT_TLSV1_3 */
# endif /* ifdef SSL_TXT_TLSV1_2 */
# endif /* ifdef SSL_TXT_TLSV1_1 */
......@@ -865,6 +904,15 @@ void setup_ssl()
SSL_CTX_set_max_proto_version(ctx, 0);
switch(sslprm.ssl_proto_ver) {
case TLSv1_3:
#if OPENSSL_VERSION_NUMBER >= 0x10101000
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
#endif
case TLSv1_3_plus:
#if OPENSSL_VERSION_NUMBER >= 0x10101000
SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
break;
#endif
case TLSv1_2:
SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
......@@ -897,11 +945,14 @@ void setup_ssl()
case SSLv2:
case SSLv2_plus:
break;
case TLSv1_3:
case TLSv1_3_plus:
#ifdef SSL_OP_NO_TLSv1_2
ssl_opts |= SSL_OP_NO_TLSv1_2;
#endif
case TLSv1_2:
case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1:
case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1;
......@@ -1165,9 +1216,13 @@ int send_request()
} else {
pkt_size = (sizeof(v3_packet) - 1) + strlen(query) + 1;
if (pkt_size < sizeof(v2_packet))
pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(query) + 1;
if (packet_ver == NRPE_PACKET_VERSION_3) {
pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(query) + 1;
}
if (pkt_size < sizeof(v2_packet)) {
pkt_size = sizeof(v2_packet);
}
v3_send_packet = calloc(1, pkt_size);
send_pkt = (char *)v3_send_packet;
......@@ -1197,10 +1252,12 @@ int send_request()
}
#endif
if (v3_send_packet)
if (v3_send_packet) {
free(v3_send_packet);
if (v2_send_packet)
}
if (v2_send_packet) {
free(v2_send_packet);
}
if (rc == -1) {
printf("CHECK_NRPE: Error sending query to host.\n");
......@@ -1214,10 +1271,11 @@ int send_request()
int read_response()
{
v2_packet *v2_receive_packet = NULL;
/* Note: v4 packets will use the v3_packet structure */
v3_packet *v3_receive_packet = NULL;
u_int32_t packet_crc32;
u_int32_t calculated_crc32;
int32_t pkt_size;
int32_t pkt_size, buffer_size;
int rc, result;
alarm(0);
......@@ -1243,32 +1301,50 @@ int read_response()
/* recv() error */
if (rc < 0) {
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet)
if (v2_receive_packet) {
free(v2_receive_packet);
}
if (v3_receive_packet) {
free(v3_receive_packet);
}
if (packet_ver >= NRPE_PACKET_VERSION_3) {
return -1;
}
if (v2_receive_packet)
free(v2_receive_packet);
return STATE_UNKNOWN;
} else if (rc == 0) {
/* server disconnected */
printf("CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.\n");
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet) {
free(v3_receive_packet);
}
} else if (v2_receive_packet) {
if (v2_receive_packet) {
free(v2_receive_packet);
}
return STATE_UNKNOWN;
}
/* check the crc 32 value */
if (packet_ver == NRPE_PACKET_VERSION_3) {
pkt_size = (sizeof(v3_packet) - 1) + ntohl(v3_receive_packet->buffer_length);
if (packet_ver >= NRPE_PACKET_VERSION_3) {
buffer_size = ntohl(v3_receive_packet->buffer_length);
if (buffer_size < 0 || buffer_size > 65536) {
printf("CHECK_NRPE: Response packet had invalid buffer size.\n");
close(sd);
if (v3_receive_packet) {
free(v3_receive_packet);
}
if (v2_receive_packet) {
free(v2_receive_packet);
}
return STATE_UNKNOWN;
}
pkt_size = sizeof(v3_packet);
pkt_size -= (packet_ver == NRPE_PACKET_VERSION_3 ? NRPE_V3_PACKET_SIZE_OFFSET : NRPE_V4_PACKET_SIZE_OFFSET);
pkt_size += buffer_size;
packet_crc32 = ntohl(v3_receive_packet->crc32_value);
v3_receive_packet->crc32_value = 0L;
v3_receive_packet->alignment = 0;
......@@ -1286,11 +1362,10 @@ int read_response()
if (packet_crc32 != calculated_crc32) {
printf("CHECK_NRPE: Response packet had invalid CRC32.\n");
close(sd);
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet) {
free(v3_receive_packet);
}
} else if (v2_receive_packet) {
if (v2_receive_packet) {
free(v2_receive_packet);
}
return STATE_UNKNOWN;
......@@ -1322,11 +1397,10 @@ int read_response()
}
}
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet) {
free(v3_receive_packet);
}
} else if (v2_receive_packet) {
if (v2_receive_packet) {
free(v2_receive_packet);
}
......@@ -1348,14 +1422,13 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (rc <= 0 || rc != bytes_to_recv) {
if (rc < bytes_to_recv) {
if (packet_ver != NRPE_PACKET_VERSION_3)
if (packet_ver <= NRPE_PACKET_VERSION_3)
printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
}
return -1;
}
packet_ver = ntohs(packet.packet_version);
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) {
if (packet_ver != ntohs(packet.packet_version)) {
printf("CHECK_NRPE: Invalid packet version received from server.\n");
return -1;
}
......@@ -1398,6 +1471,10 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
tot_bytes += rc;
buffer_size = ntohl(buffer_size);
if (buffer_size < 0 || buffer_size > 65536) {
logit(LOG_ERR, "Error: Received packet with invalid buffer size");
return -1;
}
pkt_size += buffer_size;
if ((*v3_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: Could not allocate memory for packet");
......@@ -1413,7 +1490,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
rc = recvall(sock, buff_ptr, &bytes_to_recv, socket_timeout);
if (rc <= 0 || rc != buffer_size) {
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (packet_ver >= NRPE_PACKET_VERSION_3) {
free(*v3_pkt);
*v3_pkt = NULL;
} else {
......@@ -1436,14 +1513,13 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (rc <= 0 || rc != bytes_to_recv) {
if (rc < bytes_to_recv) {
if (packet_ver != NRPE_PACKET_VERSION_3)
if (packet_ver < NRPE_PACKET_VERSION_3 || packet_ver > NRPE_PACKET_VERSION_4)
printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
}
return -1;
}
packet_ver = ntohs(packet.packet_version);
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) {
if (packet_ver != ntohs(packet.packet_version)) {
printf("CHECK_NRPE: Invalid packet version received from server.\n");
return -1;
}
......@@ -1491,6 +1567,10 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
tot_bytes += rc;
buffer_size = ntohl(buffer_size);
if (buffer_size < 0 || buffer_size > 65536) {
logit(LOG_ERR, "Error: Received packet with invalid buffer size");
return -1;
}
pkt_size += buffer_size;
if ((*v3_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: Could not allocate memory for packet");
......@@ -1517,7 +1597,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
buff_ptr[bytes_read] = 0;
if (rc < 0 || bytes_read != buffer_size) {
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (packet_ver >= NRPE_PACKET_VERSION_3) {
free(*v3_pkt);
*v3_pkt = NULL;
} else {
......@@ -1525,7 +1605,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
*v2_pkt = NULL;
}
if (bytes_read != buffer_size) {
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (packet_ver >= NRPE_PACKET_VERSION_3) {
printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
} else {
printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
......
src/nrpe.c
View file @ d49d4cf9
......@@ -124,7 +124,7 @@ extern char *log_file;
/* SSL/TLS parameters */
typedef enum _SSL_VER {
SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
} SslVer;
typedef enum _CLNT_CERTS {
......@@ -148,11 +148,11 @@ struct _SSL_PARMS {
SslLogging log_opts;
} sslprm = {
#if OPENSSL_VERSION_NUMBER >= 0x10100000
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging};
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging
#else
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging};
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging
#endif
};
#ifdef HAVE_SSL
static int verify_callback(int ok, X509_STORE_CTX * ctx);
......@@ -160,6 +160,8 @@ static void my_disconnect_sighandler(int sig);
static void complete_SSL_shutdown(SSL *);
#endif
int disable_syslog = FALSE;
int main(int argc, char **argv)
{
int result = OK;
......@@ -329,6 +331,10 @@ void init_ssl(void)
# ifdef SSL_TXT_TLSV1_2
if (sslprm.ssl_proto_ver == TLSv1_2)
meth = TLSv1_2_server_method();
# ifdef SSL_TXT_TLSV1_3
if (sslprm.ssl_proto_ver == TLSv1_3)
meth = TLSv1_3_server_method();
# endif /* ifdef SSL_TXT_TLSV1_3 */
# endif /* ifdef SSL_TXT_TLSV1_2 */
# endif /* SSL_TXT_TLSV1_1 */
......@@ -349,6 +355,15 @@ void init_ssl(void)
SSL_CTX_set_max_proto_version(ctx, 0);
switch(sslprm.ssl_proto_ver) {
case TLSv1_3:
#if OPENSSL_VERSION_NUMBER >= 0x10101000
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
#endif
case TLSv1_3_plus:
#if OPENSSL_VERSION_NUMBER >= 0x10101000
SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
break;
#endif
case TLSv1_2:
SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
......@@ -381,11 +396,14 @@ void init_ssl(void)
case SSLv2:
case SSLv2_plus:
break;
case TLSv1_3:
case TLSv1_3_plus:
#ifdef SSL_OP_NO_TLSv1_2
ssl_opts |= SSL_OP_NO_TLSv1_2;
#endif
case TLSv1_2:
case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1:
case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1;
......@@ -517,6 +535,12 @@ void log_ssl_startup(void)
case TLSv1_2_plus:
vers = "TLSv1_2 And Above";
break;
case TLSv1_3:
vers = "TLSv1_3";
break;
case TLSv1_3_plus:
vers = "TLSv1_3 And Above";
break;
default:
vers = "INVALID VALUE!";
break;
......@@ -745,6 +769,62 @@ int verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
}
#endif
/*
* Given a string, convert any byte pairs representing an escape sequence (e.g. "\\r" into
* the single-byte metacharacter (e.g. '\r')
* Currently, this doesn't support octal/hex numbers or unicode code points (\n, \x, \u, \U)
*/
char* process_metachars(const char* input)
{
char* copy = strdup(input);
int i,j;
int length = strlen(input);
for (i = 0, j = 0; i < length, j < length; i++, j++) {
if (copy[j] != '\\') {
copy[i] = copy[j];
continue;
}
j += 1;
switch (copy[j]) {
case 'a':
copy[i] = '\a';
break;
case 'b':
copy[i] = '\b';
break;
case 'f':
copy[i] = '\f';
break;
case 'n':
copy[i] = '\n';
break;
case 'r':
copy[i] = '\r';
break;
case 't':
copy[i] = '\t';
break;
case 'v':
copy[i] = '\v';
break;
case '\\':
copy[i] = '\\';
break;
case '\'':
copy[i] = '\'';
break;
case '"':
copy[i] = '\"';
break;
case '?':
copy[i] = '\?';
break;
}
}
copy[j] = '\0';
}
/* read in the configuration file */
int read_config_file(char *filename)
{
......@@ -881,6 +961,9 @@ int read_config_file(char *filename)
else if (!strcmp(varname, "dont_blame_nrpe"))
allow_arguments = (atoi(varvalue) == 1) ? TRUE : FALSE;
else if (!strcmp(varname, "disable_syslog"))
disable_syslog = (atoi(varvalue) == 1) ? TRUE : FALSE;
else if (!strcmp(varname, "allow_bash_command_substitution"))
allow_bash_cmd_subst = (atoi(varvalue) == 1) ? TRUE : FALSE;
......@@ -926,7 +1009,11 @@ int read_config_file(char *filename)
}
} else if (!strcmp(varname, "ssl_version")) {
if (!strcmp(varvalue, "TLSv1.2"))
if (!strcmp(varvalue, "TLSv1.3"))
sslprm.ssl_proto_ver = TLSv1_3;
else if (!strcmp(varvalue, "TLSv1.3+"))
sslprm.ssl_proto_ver = TLSv1_3_plus;
else if (!strcmp(varvalue, "TLSv1.2"))
sslprm.ssl_proto_ver = TLSv1_2;
else if (!strcmp(varvalue, "TLSv1.2+"))
sslprm.ssl_proto_ver = TLSv1_2_plus;
......@@ -1005,7 +1092,7 @@ int read_config_file(char *filename)
keep_env_vars = strdup(varvalue);
else if (!strcmp(varname, "nasty_metachars"))
nasty_metachars = strdup(varvalue);
nasty_metachars = process_metachars(varvalue);
else if (!strcmp(varname, "log_file")) {
log_file = strdup(varvalue);
......@@ -1074,11 +1161,7 @@ int read_config_dir(char *dirname)
continue;
/* process the config file */
result = read_config_file(config_file);
/* break out if we encountered an error */
if (result == ERROR)
break;
result |= read_config_file(config_file);
}
/* recurse into subdirectories... */
......@@ -1089,12 +1172,7 @@ int read_config_dir(char *dirname)
continue;
/* process the config directory */
result = read_config_dir(config_file);
/* break out if we encountered an error */
if (result == ERROR)
break;
result |= read_config_dir(config_file);
}
}
......@@ -1834,7 +1912,10 @@ void handle_connection(int sock)
} else {
pkt_size = (sizeof(v3_packet) - 1) + strlen(send_buff);
pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(send_buff);
if (packet_ver == NRPE_PACKET_VERSION_3) {
pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(send_buff);
}
v3_send_packet = calloc(1, pkt_size);
send_pkt = (char *)v3_send_packet;
/* initialize response packet data */
......@@ -1914,13 +1995,31 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
char buffer[MAX_INPUT_BUFFER];
SSL *ssl = (SSL*)ssl_ptr;
X509 *peer;
int rc, x;
int rc, x, sockfd, retval;
fd_set rfds;
struct timeval timeout;
SSL_set_fd(ssl, sock);
sockfd = SSL_get_fd(ssl);
FD_ZERO(&rfds);
FD_SET(sockfd, &rfds);
timeout.tv_sec = connection_timeout;
timeout.tv_usec = 0;
/* keep attempting the request if needed */
while (((rc = SSL_accept(ssl)) != 1)
&& (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ));
do {
retval = select(sockfd + 1, &rfds, NULL, NULL, &timeout);
if (retval > 0) {
rc = SSL_accept(ssl);
} else {
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: timeout %d seconds", remote_host, connection_timeout);
return ERROR;
}
} while (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ);
if (rc != 1) {
/* oops, got an unrecoverable error -- get out */
......@@ -2010,7 +2109,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
return -1;
packet_ver = ntohs(v2_pkt->packet_version);
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) {
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_4) {
logit(LOG_ERR, "Error: (use_ssl == false): Request packet version was invalid!");
return -1;
}
......@@ -2037,6 +2136,10 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
tot_bytes += rc;
buffer_size = ntohl(buffer_size);
if (buffer_size < 0 || buffer_size > 65536) {
logit(LOG_ERR, "Error: (use_ssl == false): Received packet with invalid buffer size");
return -1;
}
pkt_size += buffer_size;
if ((*v3_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: (use_ssl == false): Could not allocate memory for packet");
......@@ -2063,16 +2166,34 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
#ifdef HAVE_SSL
else {
SSL *ssl = (SSL *) ssl_ptr;
int sockfd, retval;
fd_set rfds;
struct timeval timeout;
while (((rc = SSL_read(ssl, v2_pkt, bytes_to_recv)) <= 0)
&& (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ)) {
sockfd = SSL_get_fd(ssl);
FD_ZERO(&rfds);
FD_SET(sockfd, &rfds);
timeout.tv_sec = connection_timeout;
timeout.tv_usec = 0;
do {
retval = select(sockfd + 1, &rfds, NULL, NULL, &timeout);
if (retval > 0) {
rc = SSL_read(ssl, v2_pkt, bytes_to_recv);
} else {
logit(LOG_ERR, "Error (!log_opts): Could not complete SSL_read with %s: timeout %d seconds", remote_host, connection_timeout);
return -1;
}
} while (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ);
if (rc <= 0 || rc != bytes_to_recv)
return -1;
packet_ver = ntohs(v2_pkt->packet_version);
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) {
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_4) {
logit(LOG_ERR, "Error: (use_ssl == true): Request packet version was invalid!");
return -1;
}
......@@ -2081,7 +2202,13 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
buffer_size = sizeof(v2_packet) - common_size;
buff_ptr = (char *)v2_pkt + common_size;
} else {
int32_t pkt_size = sizeof(v3_packet) - 1;
int32_t pkt_size = sizeof(v3_packet);
if (packet_ver == NRPE_PACKET_VERSION_3) {
pkt_size -= NRPE_V3_PACKET_SIZE_OFFSET;
}
else if (packet_ver == NRPE_PACKET_VERSION_4) {
pkt_size -= NRPE_V4_PACKET_SIZE_OFFSET;
}
/* Read the alignment filler */
bytes_to_recv = sizeof(int16_t);
......@@ -2104,6 +2231,10 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
tot_bytes += rc;
buffer_size = ntohl(buffer_size);
if (buffer_size < 0 || buffer_size > 65536) {
logit(LOG_ERR, "Error: (use_ssl == true): Received packet with invalid buffer size");
return -1;
}
pkt_size += buffer_size;
if ((*v3_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: (use_ssl == true): Could not allocate memory for packet");
......@@ -2606,6 +2737,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
{
u_int32_t packet_crc32;
u_int32_t calculated_crc32;
int32_t pkt_size, buffer_size;
char *buff, *ptr;
int rc;
#ifdef ENABLE_COMMAND_ARGUMENTS
......@@ -2613,8 +2745,18 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
#endif
/* check the crc 32 value */
if (packet_ver == NRPE_PACKET_VERSION_3) {
int32_t pkt_size = (sizeof(v3_packet) - 1) + ntohl(v3pkt->buffer_length);
if (packet_ver >= NRPE_PACKET_VERSION_3) {
buffer_size = ntohl(v3pkt->buffer_length);
if (buffer_size < 0 || buffer_size > INT_MAX - pkt_size) {
logit(LOG_ERR, "Error: Request packet had invalid buffer size.");
return ERROR;
}
pkt_size = sizeof(v3_packet);
pkt_size -= (packet_ver == NRPE_PACKET_VERSION_3 ? NRPE_V3_PACKET_SIZE_OFFSET : NRPE_V4_PACKET_SIZE_OFFSET);
pkt_size += buffer_size;
packet_crc32 = ntohl(v3pkt->crc32_value);
v3pkt->crc32_value = 0L;
v3pkt->alignment = 0;
......@@ -2637,7 +2779,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
}
/* make sure buffer is terminated */
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (packet_ver >= NRPE_PACKET_VERSION_3) {
int32_t l = ntohs(v3pkt->buffer_length);
v3pkt->buffer[l - 1] = '\x0';
buff = v3pkt->buffer;
......@@ -2653,7 +2795,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
}
/* make sure request doesn't contain nasties */
if (packet_ver == NRPE_PACKET_VERSION_3)
if (packet_ver >= NRPE_PACKET_VERSION_3)
rc = contains_nasty_metachars(v3pkt->buffer);
else
rc = contains_nasty_metachars(v2pkt->buffer);
......@@ -2663,7 +2805,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
}
/* make sure the request doesn't contain arguments */
if (strchr(v2pkt->buffer, '!')) {
if (strchr(buff, '!')) {
#ifdef ENABLE_COMMAND_ARGUMENTS
if (allow_arguments == FALSE) {
logit(LOG_ERR, "Error: Request contained command arguments, but argument option is not enabled!");
......
src/utils.c
View file @ d49d4cf9
......@@ -537,7 +537,6 @@ void logit(int priority, const char *format, ...)
if (!format || !*format)
return;
va_start(ap, format);
if(vasprintf(&buffer, format, ap) > 0) {
if (log_fp) {
......@@ -549,8 +548,9 @@ void logit(int priority, const char *format, ...)
fprintf(log_fp, "[%llu] %s\n", (unsigned long long)log_time, buffer);
fflush(log_fp);
} else
} else if (!disable_syslog) {
syslog(priority, "%s", buffer);
}
free(buffer);
}
......
startup/default-xinetd.in
View file @ d49d4cf9
......@@ -10,6 +10,6 @@ service nrpe
group = @nrpe_group@
server = @sbindir@/nrpe
server_args = -c @pkgsysconfdir@/nrpe.cfg --inetd
only_from = 127.0.0.1
only_from = 127.0.0.1 ::1
log_on_success =
}
startup/openrc-init.in
View file @ d49d4cf9
......@@ -3,15 +3,19 @@
# Copyright (c) 2017 Nagios(R) Core(TM) Development Team
#
# Supply a default value for NRPE_CFG in case the corresponding
# conf.d file is not installed.
: ${NRPE_CFG:="@sysconfdir@/nrpe.cfg"}
command="@sbindir@/nrpe"
command_args="--config=${NRPE_CFG} ${NRPE_OPTS}"
command_args_background="--daemon"
description="Nagios Remote Plugin Executor (NRPE) daemon"
extra_started_commands="reload"
pidfile="@piddir@/nrpe.pid"
pidfile="@piddir@/${RC_SVCNAME}.pid"
reload() {
ebegin "Reloading ${SVCNAME}"
ebegin "Reloading ${RC_SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}