To seal out any possible denial of service attacs, do not expect the
parsers to return data that is NULL terminated.
Signed-off-by: Timo Kokkonen <timo.t.kokkonen@iki.fi>
int rrdtool_update_data(struct rrd_database *rrd)
{
int pid;
- char data[RRD_DATA_MAX_LEN + 2];
+ char data[RRD_DATA_MAX_LEN + 3]; /* 3 == "N:" + NULL termination */
char cmd[] = RRDTOOL_CMD;
// char cmd[] = "echo";
char *const cmdline[] = {
if (rrd->parse) {
rrd->parse(data + l, rrd->parser_data);
+ data[RRD_DATA_MAX_LEN + 2] = '\0';
+
sanitize_rrd_update_data(data + l);
pid = run(cmd, cmdline);
harvest_zombies(pid);