[mapserver-dev] Buffer overflow in msOWSParseRequestMetadata

thomas bonfort thomas.bonfort at gmail.com
Tue Jul 17 03:50:46 PDT 2012


PS: can you open an issue for this ?

On Tue, Jul 17, 2012 at 12:49 PM, thomas bonfort
<thomas.bonfort at gmail.com> wrote:
> On Tue, Jul 17, 2012 at 12:29 PM, Fabian Schindler
> <fabian.schindler at eox.at> wrote:
>> Hey folks,
>>
>> While setting up our software (EOxServer) in the OSGeoLive virtual machine
>> we stumbled into a bug that only seems to show on 32 bit environments (such
>> as the OSGeoLive VM). We spotted the bug in the version 6.0.3 but also
>> version 6.0.1 and 6.2.0-beta1 seem to be affected.
>>
>> The result is a stack smashing/buffer overflow as shown in this backtrace
>> [1].
>>
>> The minimal mapfile used to reproduce the bug can be found here [2].
>>
>>
>> The problem is a buffer overflow occurring in `msOWSParseRequestMetadata'
>> when it is called with arguments that obviously don't fit into the `char
>> requestBuffer[32];' (i.e: are larger than 32 bytes). This is the case when
>> the layer setting "wms_enable_request"  is set to
>> "getcapabilities,getmap,getfeatureinfo".
>>
>> Extending the `requestBuffer' to 64 or 128 bytes (as done in the path
>> contained in the attachment) solves this particular issue, but seems a bit
>> clumsy as it is still possible to run into the said bug. Maybe someone more
>> into the issue may have a look at this?
>>
>> I think that this is a rather urgent issue, also for us, as we want to be
>> part of the next OSGeoLive distribution.
>> I'd like to know if this the bugfix will be enough for a 6.0.4 release and
>> whenthis release will be available?
>
> Augmenting the buffer size isn't an appropriate fix imho. We can have
> two different fixes:
> - char requestBuffer = msSmallMalloc(strlen(metadata)+1); instead of
> char requestBuffer[32]; This has the inconvenience of calling a
> malloc.
> - The code there seems quite complicated, and if I understand
> correctly what it's trying to do can be replaced with some calls to
> strcasestr. As Alan is absent this week, I'd be willing to implement
> and apply a patch provided you can help validate it doesn't have
> side-effects I did not foresee?
>
> As for 6.0.4 there are no immediate plans I think. Can you package
> 6.0.3 + a patch for the liveDVD?
>
> --
> thomas
>
>>
>> Thanks,
>> Fabian
>>
>>
>> [1] http://pastebin.com/Xp15Pkwd
>> [2] http://pastebin.com/pTvyS4q6
>>
>> _______________________________________________
>> mapserver-dev mailing list
>> mapserver-dev at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>


More information about the mapserver-dev mailing list