Bug #2092
closedunsafe sprintfs mod_geoip
Description
When using city databases, mod_geoip does some very broken sprintfs to buffers on the stack. For instance:
char latitude[32]; sprintf(&latitude, "%f", gir->latitude);This works because latitude and &latitude point to the same address, since it's allocated on the stack. However, it throws a compiler warning, since it's passing a
char** to function that's expecting a char*.
Also, the use of unchecked sprintf for stack allocated buffers is spooky. If libgeoip ever returns something of a different size, there's a good chance for stack corruption or other bizarre problems.
Patch changes this to length-checked snprintf's using the buffer instead of the buffer's address.
Files
Updated by stbuehler about 15 years ago
- Priority changed from High to Normal
- Target version deleted (
1.4.25)
Just a small reminder: mod_geoip is not upstream.
Updated by gstrauss over 8 years ago
I uploaded a patch to https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModGeoip which applies to mod_geoip_for_1.4.c (rename to mod_geoip.c) in order to compile mod_geoip.c cleanly under lighttpd 1.4.39. (I have not tested beyond compiling it.)
The patch also replaces sprintf() with snprintf() andfixes the compiler warnings.
Updated by gstrauss over 8 years ago
Please close ticket. Patch posted to wiki https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModGeoip
Updated by stbuehler over 8 years ago
- Status changed from Patch Pending to Invalid
3rd party module.
Also available in: Atom