[mapserver-dev] Ticket 3537 - Buffer overflow vulnerabilities

Alan Boudreault aboudreault at mapgears.com
Wed Oct 6 09:21:55 EDT 2010 

Just discussed this with Daniel, and we are going to create a new ticket for 
this task and pass through the code source to be sure all 
malloc/calloc/realloc return values are checked.

Thanks Bret for the report.
Alan

On October 6, 2010 08:46:03 am Alan Boudreault wrote:
> I haven't added much malloc() calls. I've mostly only replaced its argument
> to use my bufferSize variable to be consistent with the next snprintf/etc.
> calls. Well, correct me if I am wrong (since I'm not a mapserver user),
> but I don't think those *string* malloc are the biggest sources of
> mapserver processes crashing. Those memory allocations are generally very
> of small size and fail rarely.
> 
> I, of course, agree with you that all malloc should be checked. Devs,
> should we consider another pass to be sure all malloc/calloc calls are
> checked?
> 
> Thanks,
> Alan
> 
> On October 6, 2010 04:31:52 am Bret S. Lambert wrote:
> > Just an FYI, you're not checking the return from *any* of the mallocs
> > that you've added; there are some checks, but they were already there
> > before you
> > audited sprintf() calls. That's probably one of the biggest sources of
> > mapserver processes crashing, given my (admittedly limited) experience
> > with
> > both the codebase and running it in production for a client.
> > 
> > On Tue, 5 Oct 2010 13:57:14 -0400, Alan Boudreault
> > 
> > <aboudreault at mapgears.com> wrote:
> > > Hi Devs,
> > > 
> > > As discussed during the meeting at FOSS4G 2010, I passed through the
> > > mapserver code source and fixed a lot buffer overflow vulnerabilities.
> > > I followed the good practices in C development of a few security
> > > sites.
> > 
> > ie:
> > > https://buildsecurityin.us-cert.gov/bsi-rules/home.html
> > > 
> > > I invite all file maintainers to take a look at my changes to see what
> > > those good practices are and comment if needed. If you have no
> > 
> > objection,
> > 
> > > I'm going to commit this in trunk.
> > > 
> > > I've run msautotest and the results before/after applying those patches
> > > are exactly the same. I would like to commit as soon as possible to let
> > > everyone test their applications with the changes.
> > > 
> > > Here's the patches:
> > > 
> > > http://trac.osgeo.org/mapserver/attachment/ticket/3537/3537-1.patch
> > > 
> > > http://trac.osgeo.org/mapserver/attachment/ticket/3537/3537-2.patch
> > > 
> > > regards,
> > > 
> > > Alan

-- 
Alan Boudreault
Mapgears
http://www.mapgears.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20101006/02b32011/attachment.html

More information about the mapserver-dev mailing list