Cap snprintf return value in mod_maxminddb to prevent stack over-read#153
Open
kodareef5 wants to merge 1 commit intolighttpd:masterfrom
Open
Cap snprintf return value in mod_maxminddb to prevent stack over-read#153kodareef5 wants to merge 1 commit intolighttpd:masterfrom
kodareef5 wants to merge 1 commit intolighttpd:masterfrom
Conversation
snprintf returns the number of characters that would have been written, which can exceed the buffer size for large double/float values (e.g., DBL_MAX → ~315 chars). This return value is used directly as the data length for http_header_env_set, causing a stack buffer over-read when vlen > sizeof(buf). Cap vlen to sizeof(buf) - 1 after each snprintf call.
Member
|
Did you find any double/float values in the maxminddb GeoIP2 database that exceed the buffer size in mod_maxminddb.c ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
snprintf at lines 379/382 returns the number of characters that would have been written, which can exceed sizeof(buf) for large double/float values. This value is used directly as the data length for http_header_env_set, causing a stack buffer over-read. Cap vlen to sizeof(buf) - 1 after each snprintf call.