Bug #2092

unsafe sprintfs mod_geoip

Added by shaun almost 10 years ago. Updated about 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


When using city databases, mod_geoip does some very broken sprintfs to buffers on the stack. For instance:

char latitude[32]; sprintf(&latitude, "%f", gir->latitude);
This works because latitude and &latitude point to the same address, since it's allocated on the stack. However, it throws a compiler warning, since it's passing a char** to function that's expecting a char*.

Also, the use of unchecked sprintf for stack allocated buffers is spooky. If libgeoip ever returns something of a different size, there's a good chance for stack corruption or other bizarre problems.

Patch changes this to length-checked snprintf's using the buffer instead of the buffer's address.

unsafe_sprintf.patch (1.92 KB) unsafe_sprintf.patch shaun, 2009-10-29 21:32

Associated revisions

Revision 5dfe21ac (diff)
Added by gstrauss about 3 years ago

[mod_geoip] add to default build (fixes #2705, fixes #2101, fixes #2092, fixes #2025, fixes #1962, fixes #1938)

(add to default build to reduce distributor package maintenance)

"broken module API since 1.4.38"
"lighttpd-1.4.24 fails to compile with mod_geoip.c"
"unsafe sprintfs mod_geoip"
"mod_geoip crashes lighttpd 1.5.x on FreeBSD 7.2 AMD64"
"lighttpd 1.4 crashes on FreeBSD 7.0 AMD64 when mod_geoip compiled in"



Updated by shaun almost 10 years ago

  • Status changed from New to Patch Pending

Updated by stbuehler almost 10 years ago

  • Priority changed from High to Normal
  • Target version deleted (1.4.25)

Just a small reminder: mod_geoip is not upstream.


Updated by gstrauss over 3 years ago

I uploaded a patch to which applies to mod_geoip_for_1.4.c (rename to mod_geoip.c) in order to compile mod_geoip.c cleanly under lighttpd 1.4.39. (I have not tested beyond compiling it.)

The patch also replaces sprintf() with snprintf() andfixes the compiler warnings.


Updated by gstrauss over 3 years ago


Updated by stbuehler over 3 years ago

  • Status changed from Patch Pending to Invalid

3rd party module.


Updated by gstrauss about 3 years ago

  • Target version set to 1.4.42

Updated by gstrauss about 3 years ago

  • Status changed from Invalid to Fixed

Also available in: Atom