Package: monitoring-plugins / 2.3.3-5+deb12u2

14_check_curl_fix_SSL_with_multiple_IPs Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
 
From 03f86b5d0809967855fbaafb4d600dc5b82081fa Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Tue, 7 Mar 2023 19:51:33 +0100
Subject: [PATCH 1/4] check_curl: in SSL host caching mode try to connect and
 bind and take the first getaddrinfo result which succeeds

---
 plugins/check_curl.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index c37d45d91..e1bc98dc9 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -386,6 +386,7 @@ lookup_host (const char *host, char *buf, size_t buflen)
   struct addrinfo hints, *res, *result;
   int errcode;
   void *ptr;
+  int s;
 
   memset (&hints, 0, sizeof (hints));
   hints.ai_family = address_family;
@@ -399,19 +400,26 @@ lookup_host (const char *host, char *buf, size_t buflen)
   res = result;
 
   while (res) {
-  inet_ntop (res->ai_family, res->ai_addr->sa_data, buf, buflen);
-  switch (res->ai_family) {
-    case AF_INET:
-      ptr = &((struct sockaddr_in *) res->ai_addr)->sin_addr;
+    inet_ntop (res->ai_family, res->ai_addr->sa_data, buf, buflen);
+    switch (res->ai_family) {
+      case AF_INET:
+        ptr = &((struct sockaddr_in *) res->ai_addr)->sin_addr;
+        break;
+      case AF_INET6:
+        ptr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr;
       break;
-    case AF_INET6:
-      ptr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr;
-    break;
     }
+
     inet_ntop (res->ai_family, ptr, buf, buflen);
     if (verbose >= 1)
       printf ("* getaddrinfo IPv%d address: %s\n",
         res->ai_family == PF_INET6 ? 6 : 4, buf);
+
+    if (s = socket (res->ai_family, res->ai_socktype, res->ai_protocol) == -1)
+      continue;
+    if (bind (s, res->ai_addr, res->ai_addrlen == 0) )
+      break;
+
     res = res->ai_next;
   }
   

From 2902381c5de01f69d61569b0c8dae6a92e2b9843 Mon Sep 17 00:00:00 2001
From: Barak Shohat <barak@bazzisoft.com>
Date: Wed, 8 Mar 2023 11:56:43 +0200
Subject: [PATCH 2/4] check_curl.c: Include all IPs from getaddrinfo() in curl
 DNS cache

---
 plugins/check_curl.c | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index e1bc98dc9..512fb88a6 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -384,9 +384,12 @@ int
 lookup_host (const char *host, char *buf, size_t buflen)
 {
   struct addrinfo hints, *res, *result;
+  char addrstr[100];
+  size_t addrstr_len;
   int errcode;
   void *ptr;
   int s;
+  size_t buflen_remaining = buflen - 1;
 
   memset (&hints, 0, sizeof (hints));
   hints.ai_family = address_family;
@@ -396,33 +399,40 @@ lookup_host (const char *host, char *buf, size_t buflen)
   errcode = getaddrinfo (host, NULL, &hints, &result);
   if (errcode != 0)
     return errcode;
-  
+
+  strcpy(buf, "");
   res = result;
 
   while (res) {
-    inet_ntop (res->ai_family, res->ai_addr->sa_data, buf, buflen);
     switch (res->ai_family) {
       case AF_INET:
         ptr = &((struct sockaddr_in *) res->ai_addr)->sin_addr;
         break;
       case AF_INET6:
         ptr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr;
-      break;
+        break;
     }
 
-    inet_ntop (res->ai_family, ptr, buf, buflen);
-    if (verbose >= 1)
+    inet_ntop (res->ai_family, ptr, addrstr, 100);
+    if (verbose >= 1) {
       printf ("* getaddrinfo IPv%d address: %s\n",
-        res->ai_family == PF_INET6 ? 6 : 4, buf);
+        res->ai_family == PF_INET6 ? 6 : 4, addrstr);
+    }
 
-    if (s = socket (res->ai_family, res->ai_socktype, res->ai_protocol) == -1)
-      continue;
-    if (bind (s, res->ai_addr, res->ai_addrlen == 0) )
-      break;
+    // Append all IPs to buf as a comma-separated string
+    addrstr_len = strlen(addrstr);
+    if (buflen_remaining > addrstr_len + 1) {
+      if (buf[0] != NULL) {
+        strncat(buf, ",", 1);
+        buflen_remaining -= 1;
+      }
+      strncat(buf, addrstr, buflen_remaining);
+      buflen_remaining -= addrstr_len;
+    }
 
     res = res->ai_next;
   }
-  
+
   freeaddrinfo(result);
 
   return 0;
@@ -453,7 +463,7 @@ check_http (void)
   int i;
   char *force_host_header = NULL;
   struct curl_slist *host = NULL;
-  char addrstr[100];
+  char addrstr[DEFAULT_BUFFER_SIZE/2];
   char dnscache[DEFAULT_BUFFER_SIZE];
 
   /* initialize curl */
@@ -505,7 +515,7 @@ check_http (void)
 
   // fill dns resolve cache to make curl connect to the given server_address instead of the host_name, only required for ssl, because we use the host_name later on to make SNI happy
   if(use_ssl && host_name != NULL) {
-      if ( (res=lookup_host (server_address, addrstr, 100)) != 0) {
+      if ( (res=lookup_host (server_address, addrstr, DEFAULT_BUFFER_SIZE/2)) != 0) {
         snprintf (msg, DEFAULT_BUFFER_SIZE, _("Unable to lookup IP address for '%s': getaddrinfo returned %d - %s"),
           server_address, res, gai_strerror (res));
         die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
@@ -800,6 +810,9 @@ check_http (void)
   /* free header and server IP resolve lists, we don't need it anymore */
   curl_slist_free_all (header_list); header_list = NULL;
   curl_slist_free_all (server_ips); server_ips = NULL;
+  if (host) {
+    curl_slist_free_all (host); host = NULL;
+  }
 
   /* Curl errors, result in critical Nagios state */
   if (res != CURLE_OK) {

From fc927e98db73850e760f490117ed36f2de20270c Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Wed, 8 Mar 2023 16:10:45 +0100
Subject: [PATCH 3/4] fixed a wrong compare and a wrong size in strncat

---
 plugins/check_curl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 512fb88a6..cc17ef58a 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -422,8 +422,8 @@ lookup_host (const char *host, char *buf, size_t buflen)
     // Append all IPs to buf as a comma-separated string
     addrstr_len = strlen(addrstr);
     if (buflen_remaining > addrstr_len + 1) {
-      if (buf[0] != NULL) {
-        strncat(buf, ",", 1);
+      if (buf[0] != '\0') {
+        strncat(buf, ",", buflen_remaining);
         buflen_remaining -= 1;
       }
       strncat(buf, addrstr, buflen_remaining);

From ea53555f2d6254da5fec0c1061899a01dd5321ec Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Sat, 11 Mar 2023 11:40:00 +0100
Subject: [PATCH 4/4] check_curl: removed a superflous variable

---
 plugins/check_curl.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index cc17ef58a..e5be1ad56 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -388,7 +388,6 @@ lookup_host (const char *host, char *buf, size_t buflen)
   size_t addrstr_len;
   int errcode;
   void *ptr;
-  int s;
   size_t buflen_remaining = buflen - 1;
 
   memset (&hints, 0, sizeof (hints));