Buffer overread in MD5 code

Issue #880 resolved
Hanno Böck created an issue

When compiling monit with address sanitizer (-fsanitize=address in CFLAGS+LDFLAGS) and connecting to the web interface with any password it will show a buffer overread in the MD5 code (function md5_process).

I tried tracking down the bug, but the code is relatively complicated. I’m attaching a full stack trace from asan.

Comments (4)

  1. Hanno Böck reporter

    You need ASAN in the linker flags, because it’s implemented as a library that has to be linked into the executable.

  2. Log in to comment