[mapserver-dev] Buffer overflow in msOWSParseRequestMetadata

thomas bonfort thomas.bonfort at gmail.com
Tue Jul 17 03:49:53 PDT 2012 

On Tue, Jul 17, 2012 at 12:29 PM, Fabian Schindler
<fabian.schindler at eox.at> wrote:
> Hey folks,
>
> While setting up our software (EOxServer) in the OSGeoLive virtual machine
> we stumbled into a bug that only seems to show on 32 bit environments (such
> as the OSGeoLive VM). We spotted the bug in the version 6.0.3 but also
> version 6.0.1 and 6.2.0-beta1 seem to be affected.
>
> The result is a stack smashing/buffer overflow as shown in this backtrace
> [1].
>
> The minimal mapfile used to reproduce the bug can be found here [2].
>
>
> The problem is a buffer overflow occurring in `msOWSParseRequestMetadata'
> when it is called with arguments that obviously don't fit into the `char
> requestBuffer[32];' (i.e: are larger than 32 bytes). This is the case when
> the layer setting "wms_enable_request"  is set to
> "getcapabilities,getmap,getfeatureinfo".
>
> Extending the `requestBuffer' to 64 or 128 bytes (as done in the path
> contained in the attachment) solves this particular issue, but seems a bit
> clumsy as it is still possible to run into the said bug. Maybe someone more
> into the issue may have a look at this?
>
> I think that this is a rather urgent issue, also for us, as we want to be
> part of the next OSGeoLive distribution.
> I'd like to know if this the bugfix will be enough for a 6.0.4 release and
> whenthis release will be available?

Augmenting the buffer size isn't an appropriate fix imho. We can have
two different fixes:
- char requestBuffer = msSmallMalloc(strlen(metadata)+1); instead of
char requestBuffer[32]; This has the inconvenience of calling a
malloc.
- The code there seems quite complicated, and if I understand
correctly what it's trying to do can be replaced with some calls to
strcasestr. As Alan is absent this week, I'd be willing to implement
and apply a patch provided you can help validate it doesn't have
side-effects I did not foresee?

As for 6.0.4 there are no immediate plans I think. Can you package
6.0.3 + a patch for the liveDVD?

--
thomas

>
> Thanks,
> Fabian
>
>
> [1] http://pastebin.com/Xp15Pkwd
> [2] http://pastebin.com/pTvyS4q6
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>

More information about the mapserver-dev mailing list