[mapserver-dev] Buffer overflow in msOWSParseRequestMetadata

Fabian Schindler fabian.schindler at eox.at
Tue Jul 17 03:29:01 PDT 2012

Hey folks,

While setting up our software (EOxServer) in the OSGeoLive virtual 
machine we stumbled into a bug that only seems to show on 32 bit 
environments (such as the OSGeoLive VM). We spotted the bug in the 
version 6.0.3 but also version 6.0.1 and 6.2.0-beta1 seem to be affected.

The result is a stack smashing/buffer overflow as shown in this 
backtrace [1].

The minimal mapfile used to reproduce the bug can be found here [2].

The problem is a buffer overflow occurring in 
`msOWSParseRequestMetadata' when it is called with arguments that 
obviously don't fit into the `char requestBuffer[32];' (i.e: are larger 
than 32 bytes). This is the case when the layer setting 
"wms_enable_request"  is set to "getcapabilities,getmap,getfeatureinfo".

Extending the `requestBuffer' to 64 or 128 bytes (as done in the path 
contained in the attachment) solves this particular issue, but seems a 
bit clumsy as it is still possible to run into the said bug. Maybe 
someone more into the issue may have a look at this?

I think that this is a rather urgent issue, also for us, as we want to 
be part of the next OSGeoLive distribution.
I'd like to know if this the bugfix will be enough for a 6.0.4 release 
and whenthis release will be available?


[1] http://pastebin.com/Xp15Pkwd
[2] http://pastebin.com/pTvyS4q6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20120717/09849086/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msOWSParseRequestMetadata.patch
Type: text/x-patch
Size: 429 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20120717/09849086/attachment.bin>

More information about the mapserver-dev mailing list