Project

General

Profile

Bug #2092

unsafe sprintfs mod_geoip

Added by shaun about 10 years ago. Updated about 3 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2009-10-29
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:
No

Description

When using city databases, mod_geoip does some very broken sprintfs to buffers on the stack. For instance:

char latitude[32]; sprintf(&latitude, "%f", gir->latitude);
This works because latitude and &latitude point to the same address, since it's allocated on the stack. However, it throws a compiler warning, since it's passing a char** to function that's expecting a char*.

Also, the use of unchecked sprintf for stack allocated buffers is spooky. If libgeoip ever returns something of a different size, there's a good chance for stack corruption or other bizarre problems.

Patch changes this to length-checked snprintf's using the buffer instead of the buffer's address.


Files

unsafe_sprintf.patch (1.92 KB) unsafe_sprintf.patch shaun, 2009-10-29 21:32
#1

Updated by shaun about 10 years ago

  • Status changed from New to Patch Pending
#2

Updated by stbuehler about 10 years ago

  • Priority changed from High to Normal
  • Target version deleted (1.4.25)

Just a small reminder: mod_geoip is not upstream.

#3

Updated by gstrauss over 3 years ago

I uploaded a patch to https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModGeoip which applies to mod_geoip_for_1.4.c (rename to mod_geoip.c) in order to compile mod_geoip.c cleanly under lighttpd 1.4.39. (I have not tested beyond compiling it.)

The patch also replaces sprintf() with snprintf() andfixes the compiler warnings.

#4

Updated by gstrauss over 3 years ago

#5

Updated by stbuehler over 3 years ago

  • Status changed from Patch Pending to Invalid

3rd party module.

#6

Updated by gstrauss about 3 years ago

  • Target version set to 1.4.42
#7

Updated by gstrauss about 3 years ago

  • Status changed from Invalid to Fixed

Also available in: Atom