Skip site navigation (1) Skip section navigation (2)

Cursor support buffer patch

From: Ian Lance Taylor <ian(at)airs(dot)com>
To: pgsql-patches(at)postgresql(dot)org
Subject: Cursor support buffer patch
Date: 2001-06-06 06:39:44
Message-ID: 20010606063944.7614.qmail@daffy.airs.com (view raw or flat)
Thread:
Lists: pgsql-patches
Here is a small patch for the cursor support which Jan recently added.
The code assumed that there would be a '\0' in buf after storing the
characters in new->refname, but it did nothing to ensure that.

I can't convince myself that this code does not have the possibility
of buffer overflow.  However, I have not tried to fix that.  For that
matter, I see other possibilities for buffer overflow in gram.y, such
as in decl_cursor_arglist.  Buffer overflow of this sort is not good,
as it means that anybody who is permitted to create functions can
completely break security.

Ian

Index: gram.y
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v
retrieving revision 1.20
diff -u -p -r1.20 gram.y
--- gram.y	2001/05/31 17:15:40	1.20
+++ gram.y	2001/06/06 06:35:46
@@ -385,7 +385,8 @@ decl_statement	: decl_varname decl_const
 								*cp2++ = '\\';
 							*cp2++ = *cp1++;
 						}
-						strcat(buf, "'");
+						*cp2++ = '\'';
+						*cp2 = '\0';
 						curname_def->query = strdup(buf);
 						new->default_val = curname_def;
 

Responses

pgsql-patches by date

Next:From: Ian Lance TaylorDate: 2001-06-06 07:02:11
Subject: Patch for cursors with multiple parameters
Previous:From: Chris DunlopDate: 2001-06-06 00:43:16
Subject: Re: Australian timezone configure option

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group