False positives for network download rate test at 1:00 am

Issue #147 resolved
Jochen Ott
created an issue

I'm using monit 5.11 to monitor the network with:

check network eth0 with interface eth0
    if total download > 1 GB in last 2 hours then alert

Just after 1:00 in the morning I get e-mails alerting me that the threshold was passed, but this does not make any sense for that server, given that the total network counts are below that. Looking at the monit source code, I think this is a bug in libmonit/src/system/NetStatistics.c in _deltaHour, where the download rate over the last 2 hours is calculated:

int delta = stop - count;
int start = delta < 0 ? 24 + delta + 1 : delta;
return data->hour[start] > -1LL ? data->hour[stop] - data->hour[start] : 0LL;

Here: count=2, stop is the current hour, stop=1. So delta=-1 and start = 24. But start is used as index in data->hour, which is an array of size 24. So this is a out-of-bounds access, which in my case evaluates to some large value triggering the alert.

The code should be changed to:

int start = delta < 0 ? 24 + delta : delta;

A similar problem affects _deltaMinute.



Comments (2)

  1. Log in to comment