While creating a security patch to the old version 1.4.3 of nagios-plugin-snmp, I noticed that the use of strcat to write a dynamic string into a static buffer was not the only mistake that had been made.
The following code can be found in an older stable version of the nagios SNMP plugin:
asprintf(str, "=%s%s;;;; ", show, type ? type : "");
The original problem here was the unchecked strcat to a static global buffer, which caused a rather classic buffer overflow. Much more interesting was however the use of asprintf(3) here. asprintf allocates enough memory to hold the created string and sets the pointer, the first argument, to the address of the allocated memory. So what the nagios people did was to allocate an array of MAX_INPUT_BUFFER pointers to strings, and the first of these pointers was set to the string. Incidentally, this even works – however, this situation is a clear memory leak.
To point out the positive: this very creative use of asprintf gave me a good laugh.