Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-10551

Possible crash when processing trigger expression with '{' without matching '}' reported by coverity

      Found by Coverity (CID 118926). See the code:

      		for (br = tr->expression, bl = strchr(tr->expression, '{'); NULL != bl; bl = strchr(bl, '{'))
      		{
      			...
      			if (NULL == (br = strchr(bl, '}')))	/* suppose br == NULL here */
      			{
      				tr[i].new_error = zbx_strdup(tr[i].new_error, "Invalid trigger expression");
      				tr[i].new_value = TRIGGER_VALUE_UNKNOWN;
      				THIS_SHOULD_NEVER_HAPPEN;
      				break;
      			}
      			...
      		}
      
      		if (NULL == tr->new_error)
      		{
      			zbx_strcpy_alloc(&out, &out_alloc, &out_offset, br);	/* dereferencing br == NULL */
      			...
      		}
      

      From one point of view frontend must prohibit such trigger expressions and THIS_SHOULD_NEVER_HAPPEN, but on the other hand we even try to set a meaningful error message for this situation. Just to crash on the next step. I think this should be fixed.

      Similar situation in extract_numbers() (CID 118924).

            Unassigned Unassigned
            glebs.ivanovskis Glebs Ivanovskis (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: