Potential buffer overrun on incorrect database #53
Comments
|
Thanks for the report. The database format limits the number of countries to 256, but I think you are right that given how the code is written, it is possible for |
Another possibility is a sanity checking and an error reporting if database is corrupted at time of load. But I'm afraid this will require major rewrite. |
|
Yeah, although more sanity checking would be great, I don't know if significant code changes are likely to happen given that this is a legacy API and our development is focused on libmaxminddb. |
1.6.5 * A segmentation fault in `geoiplookup` was fixed when the utility was passed an invalid database. (Reported in Red Hat bug #1180874.) * Additional validation was added for validation of the size used in the creation of the index cache. (Based on discussion in Red Hat bug #832913.) * Changed the code to only look up country codes by using functions which ensure that we do not try to look past the end of an array. (Reported by Ivan Sorokin. GitHub #53)
|
This was fixed in #54. |
libtorrent-rasterbar uses quite outdated version of GeoIP. This version has GeoIP_country_code array of size 253 (it doesn't know "BQ", "SS" and "O1"). I assume my database version is up-to-date and it has 256 countries. I've got buffer overrun once http://code.google.com/p/libtorrent/issues/detail?id=720&sort=-id because GeoIP tried to access to index 253 (immediately past the end).
I believe libtorrent should be upgraded to a newer version of GeoIP. But after a bit reading of latest version I still don't see clearly why it can not access past the end of array if database is corrupt. E.g. why function _GeoIP_seek_record_gl could not return value >= 256.
The text was updated successfully, but these errors were encountered: