[mapserver-dev] Buffer overflow in msOWSParseRequestMetadata
Fabian Schindler
fabian.schindler at eox.at
Tue Jul 17 03:29:01 PDT 2012
Hey folks,
While setting up our software (EOxServer) in the OSGeoLive virtual
machine we stumbled into a bug that only seems to show on 32 bit
environments (such as the OSGeoLive VM). We spotted the bug in the
version 6.0.3 but also version 6.0.1 and 6.2.0-beta1 seem to be affected.
The result is a stack smashing/buffer overflow as shown in this
backtrace [1].
The minimal mapfile used to reproduce the bug can be found here [2].
The problem is a buffer overflow occurring in
`msOWSParseRequestMetadata' when it is called with arguments that
obviously don't fit into the `char requestBuffer[32];' (i.e: are larger
than 32 bytes). This is the case when the layer setting
"wms_enable_request" is set to "getcapabilities,getmap,getfeatureinfo".
Extending the `requestBuffer' to 64 or 128 bytes (as done in the path
contained in the attachment) solves this particular issue, but seems a
bit clumsy as it is still possible to run into the said bug. Maybe
someone more into the issue may have a look at this?
I think that this is a rather urgent issue, also for us, as we want to
be part of the next OSGeoLive distribution.
I'd like to know if this the bugfix will be enough for a 6.0.4 release
and whenthis release will be available?
Thanks,
Fabian
[1] http://pastebin.com/Xp15Pkwd
[2] http://pastebin.com/pTvyS4q6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20120717/09849086/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msOWSParseRequestMetadata.patch
Type: text/x-patch
Size: 429 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20120717/09849086/attachment.bin>
More information about the mapserver-dev
mailing list