Project

General

Profile

Bug #2092

unsafe sprintfs mod_geoip

Added by shaun over 7 years ago. Updated 9 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2009-10-29
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:
No

Description

When using city databases, mod_geoip does some very broken sprintfs to buffers on the stack. For instance:

char latitude[32]; sprintf(&latitude, "%f", gir->latitude);
This works because latitude and &latitude point to the same address, since it's allocated on the stack. However, it throws a compiler warning, since it's passing a char** to function that's expecting a char*.

Also, the use of unchecked sprintf for stack allocated buffers is spooky. If libgeoip ever returns something of a different size, there's a good chance for stack corruption or other bizarre problems.

Patch changes this to length-checked snprintf's using the buffer instead of the buffer's address.

unsafe_sprintf.patch (1.92 KB) unsafe_sprintf.patch shaun, 2009-10-29 21:32

Associated revisions

Revision 5dfe21ac (diff)
Added by gstrauss 9 months ago

[mod_geoip] add to default build (fixes #2705, fixes #2101, fixes #2092, fixes #2025, fixes #1962, fixes #1938)

(add to default build to reduce distributor package maintenance)

x-ref:
"broken module API since 1.4.38"
https://redmine.lighttpd.net/issues/2705
"lighttpd-1.4.24 fails to compile with mod_geoip.c"
https://redmine.lighttpd.net/issues/2101
"unsafe sprintfs mod_geoip"
https://redmine.lighttpd.net/issues/2092
"mod_geoip crashes lighttpd 1.5.x on FreeBSD 7.2 AMD64"
https://redmine.lighttpd.net/issues/2025
"mod_geoip"
https://redmine.lighttpd.net/issues/1962
"lighttpd 1.4 crashes on FreeBSD 7.0 AMD64 when mod_geoip compiled in"
https://redmine.lighttpd.net/issues/1938

History

#1 Updated by shaun over 7 years ago

  • Status changed from New to Patch Pending

#2 Updated by stbuehler over 7 years ago

  • Priority changed from High to Normal
  • Target version deleted (1.4.25)

Just a small reminder: mod_geoip is not upstream.

#3 Updated by gstrauss over 1 year ago

I uploaded a patch to https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModGeoip which applies to mod_geoip_for_1.4.c (rename to mod_geoip.c) in order to compile mod_geoip.c cleanly under lighttpd 1.4.39. (I have not tested beyond compiling it.)

The patch also replaces sprintf() with snprintf() andfixes the compiler warnings.

#4 Updated by gstrauss over 1 year ago

#5 Updated by stbuehler over 1 year ago

  • Status changed from Patch Pending to Invalid

3rd party module.

#6 Updated by gstrauss 9 months ago

  • Target version set to 1.4.42

#7 Updated by gstrauss 9 months ago

  • Status changed from Invalid to Fixed

Also available in: Atom