[mapserver-dev] Ticket 3537 - Buffer overflow vulnerabilities
aboudreault at mapgears.com
Wed Oct 6 09:08:32 EDT 2010
* I don't use sizeof() operator to compute string lengths, I use strlen to
compute string length. If so, it's a mistake. snprintf need the total size of
the buffer we want to write in. So, it's not the lenght of the string I need,
but its size. Let me know if that's not what you are refering to.
* I assume you are talking about the msSaveImageAGG() function etc. Well, in
that case, it was not risky (and there are a few other places like that) but I
wasn't sure at 100% if I could say that the format->driver length passed in
function parameter was smaller than 128. Can this function be called from php?
or from mapscript? I couldn't really do that for all function I modified, it
would have taken too many time. Also, I don't see any reason to not use those
functions since they are just safer. Btw, there are many cases that I haven't
modified the strcpy calls.... when I considered them safe.
Do I answer your questions?
On October 6, 2010 08:49:54 am thomas bonfort wrote:
> * it seems suspicious to me that you are using the sizeof operator to
> compute string lengths,shouldn't you be using strlen instead?
> * why replace all functions with their snyyyy couterpart (i.e. sprintf
> by snprintf, etc...) when treating data that isn't submitted over the
> wire (for example DRIVER names, etc...) ?
> On Tue, Oct 5, 2010 at 19:57, Alan Boudreault <aboudreault at mapgears.com>
> > Hi Devs,
> > As discussed during the meeting at FOSS4G 2010, I passed through the
> > mapserver code source and fixed a lot buffer overflow vulnerabilities. I
> > followed the good practices in C development of a few security sites. ie:
> > https://buildsecurityin.us-cert.gov/bsi-rules/home.html
> > I invite all file maintainers to take a look at my changes to see what
> > those good practices are and comment if needed. If you have no
> > objection, I'm going to commit this in trunk.
> > I've run msautotest and the results before/after applying those patches
> > are exactly the same. I would like to commit as soon as possible to let
> > everyone test their applications with the changes.
> > Here's the patches:
> > http://trac.osgeo.org/mapserver/attachment/ticket/3537/3537-1.patch
> > http://trac.osgeo.org/mapserver/attachment/ticket/3537/3537-2.patch
> > regards,
> > Alan
> > --
> > Alan Boudreault
> > Mapgears
> > http://www.mapgears.com
> > _______________________________________________
> > mapserver-dev mailing list
> > mapserver-dev at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/mapserver-dev
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the mapserver-dev