I have encountered this problem, too:
[7083302.117086] send_nsca[15854]: segfault at bf9ec000 ip 08048fad sp
bf9e7a50 error 6 in send_nsca[8048000+5000]
[7169701.935382] send_nsca[22982]: segfault at bff37000 ip 08048fad sp
bff32b00 error 6 in send_nsca[8048000+5000]
[7256101.739524] send_nsca[28416]: segfault at bfff1000 ip 08048fad sp
bffed440 error 6 in send_nsca[8048000+5000]
...
In my case, send_nsca is used by munin-limits.
I was able to create a debug version of nsca-client, obtain a core dump
and I believe this to be the problem:
Reading symbols from /usr/sbin/send_nsca...done.
[New LWP 1669]
warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
Core was generated by `.
sqldb1.mpl.loc eth0 errors 0 OKs: errors is 0.00, errors is 0'.
Program terminated with signal 11, Segmentation fault.
#0 main (argc=1936269427, argv=0x302e3020) at ./send_nsca.c:204
204 input_buffer[pos] = c;
(gdb) list
199 while (c != 23){
200 if (c == -1){ // in case we don't terminate
properly
201 // or are in single-input mode.
202 break;
203 }
204 input_buffer[pos] = c;
205 c = getc(stdin);
206 pos++;
207 }
208 input_buffer[pos] = 0;
(gdb) p c
$1 = 46
(gdb) p pos
$2 = <optimized out>
(gdb) p sizeof(input_buffer)
$3 = 5120
In the while loop above, no check is made for writing past the
input_buffer array which obviously happens in my case. At a second
glance, it seems that this loop should break the input stream into
chunks separated by character 23 which would mitigate my problem.
However, the help of send_nsca is ambiguous regarding the separation for
lines:
Input should be provided in the following format (tab-delimited unless
overriden with -d command line argument, one entry per line):
and later
When submitting multiple simultaneous results, separate each set with
the ETB character (^W or 0x17)
It seems to me that at least munin-limits does not honor the last
sentence but provides multiple results separated by a LF.
I patched send_nsca.c to treat both LF and ETB as result separators
(patch is attached) and I could not reproduce the segfaults anymore.
I'm not sure that this is the proper solution to this problem, though.
Maybe this is better fixed in munin, but I feel at least a check for
input_buffer overflow is missing in send_nsca.
With kind regards
Stefan Peter
--- nsca-2.9.1/src/send_nsca.c.orig 2016-03-15 13:54:26.000000000 +0100
+++ nsca-2.9.1/src/send_nsca.c 2016-03-15 15:24:53.000000000 +0100
@@ -196,7 +196,7 @@
break;
}
int pos = 0;
- while (c != 23){
+ while (! (c == '\n' || c == 23)) {
if (c == -1){ // in case we don't terminate properly
// or are in single-input mode.
break;
