🛡️ Sentinel: [CRITICAL/HIGH] Fix buffer overflow in mmdblookup

[rgerhards]

🚨 Severity: HIGH
💡 Vulnerability: A Variable Length Array (VLA) in str_split (mmdblookup.c) could cause stack overflow. String expansion without bounds checking could cause heap overflow.
🎯 Impact: Potential DoS or RCE if malicious data is processed.
🔧 Fix: Replaced VLA with heap allocation (malloc/realloc). Added safe stream handling (fclose before modification).
✅ Verification: Verified logic with standalone test case. Verified syntax via code review.

---

PR created automatically by Jules for task 7357544321937131368 started by @rgerhards

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @rgerhards, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses critical and high-severity memory safety vulnerabilities within the mmdblookup plugin. The changes ensure robust handling of string manipulation and memory streams, mitigating risks of denial-of-service or remote code execution due to malformed input. The core issue of unbounded memory operations has been resolved by transitioning from stack-based to heap-based allocation and enforcing proper buffer management.

Highlights

• Buffer Overflow Prevention: Replaced a Variable Length Array (VLA) in str_split with heap allocation (malloc) to prevent potential stack overflows when processing large input strings.
• Heap Overflow Mitigation: Implemented dynamic reallocation (realloc) and bounds checking within str_split to safely handle string expansion, preventing potential heap overflows.
• Memory Stream Safety: Corrected the handling of open_memstream buffers by ensuring fclose is called before str_split modifies the buffer, thereby preventing use-after-free or double-free vulnerabilities.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • Added a new sentinel document detailing the buffer overflow vulnerability, lessons learned, and prevention strategies.
• plugins/mmdblookup/mmdblookup.c
  • Replaced the Variable Length Array tempbuf with a dynamically allocated buffer using malloc in str_split.
  • Introduced realloc logic in str_split to dynamically resize the membuf if the string expands during processing.
  • Adjusted the order of operations in doAction_NoStrings to close the memstream before calling str_split to prevent use-after-free issues, and removed a redundant fclose call.

Activity

• The pull request was automatically created by Jules for task 7357544321937131368, initiated by @rgerhards.
• The logic of the fix was verified with a standalone test case.
• The syntax of the changes was verified via code review.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fae4bd0189

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Propagate str_split allocation failures to caller

When malloc/realloc fails, str_split logs and returns without transforming membuf, but doAction_NoStrings still parses and consumes that buffer as if conversion succeeded. In this module the conversion step is required to turn MMDB_dump_entry_data_list output into JSON (for example, it strips <...> markers), so this failure path can produce NULL/invalid JSON values and push bad data through msgAddJSON instead of cleanly failing the action. Please return an error status from str_split and abort processing on failure.

Useful? React with 👍 / 👎.

[gemini-code-assist]

Code Review

This pull request effectively addresses critical security vulnerabilities in mmdblookup.c, specifically a stack-based buffer overflow from a Variable Length Array, a heap-based buffer overflow, and a use-after-free condition related to open_memstream. The changes correctly implement fixes such as replacing VLA with heap allocation, resizing destination buffers, and ensuring proper memory stream closure. While the SAST reconnaissance pass reported no vulnerabilities, this was due to all files being empty, preventing a full scan. The implemented fixes significantly improve the module's security and stability, with a minor suggestion for performance improvement.

[gemini-code-assist]

For a minor performance improvement, you can use memcpy instead of strcpy here. You have already calculated the length of tempbuf and stored it in new_len, so using memcpy avoids an extra string length calculation that strcpy would perform internally.

    memcpy(*membuf, tempbuf, new_len + 1);