Project

General

Profile

Actions

Bug #2092

closed

unsafe sprintfs mod_geoip

Added by shaun about 15 years ago. Updated about 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
-
Target version:
ASK QUESTIONS IN Forums:

Description

When using city databases, mod_geoip does some very broken sprintfs to buffers on the stack. For instance:

char latitude[32]; sprintf(&latitude, "%f", gir->latitude);
This works because latitude and &latitude point to the same address, since it's allocated on the stack. However, it throws a compiler warning, since it's passing a char** to function that's expecting a char*.

Also, the use of unchecked sprintf for stack allocated buffers is spooky. If libgeoip ever returns something of a different size, there's a good chance for stack corruption or other bizarre problems.

Patch changes this to length-checked snprintf's using the buffer instead of the buffer's address.


Files

unsafe_sprintf.patch (1.92 KB) unsafe_sprintf.patch shaun, 2009-10-29 21:32
Actions #1

Updated by shaun about 15 years ago

  • Status changed from New to Patch Pending
Actions #2

Updated by stbuehler about 15 years ago

  • Priority changed from High to Normal
  • Target version deleted (1.4.25)

Just a small reminder: mod_geoip is not upstream.

Actions #3

Updated by gstrauss over 8 years ago

I uploaded a patch to https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModGeoip which applies to mod_geoip_for_1.4.c (rename to mod_geoip.c) in order to compile mod_geoip.c cleanly under lighttpd 1.4.39. (I have not tested beyond compiling it.)

The patch also replaces sprintf() with snprintf() andfixes the compiler warnings.

Actions #4

Updated by gstrauss over 8 years ago

Actions #5

Updated by stbuehler over 8 years ago

  • Status changed from Patch Pending to Invalid

3rd party module.

Actions #6

Updated by gstrauss about 8 years ago

  • Target version set to 1.4.42
Actions #7

Updated by gstrauss about 8 years ago

  • Status changed from Invalid to Fixed
Actions

Also available in: Atom