Skip site navigation (1) Skip section navigation (2)

Re: Cursor support buffer patch

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Ian Lance Taylor <ian(at)airs(dot)com>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Cursor support buffer patch
Date: 2001-06-11 04:18:46
Message-ID: 200106110418.f5B4Ili10548@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-patches
Your patch has been added to the PostgreSQL unapplied patches list at:

	http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

> Here is a small patch for the cursor support which Jan recently added.
> The code assumed that there would be a '\0' in buf after storing the
> characters in new->refname, but it did nothing to ensure that.
> 
> I can't convince myself that this code does not have the possibility
> of buffer overflow.  However, I have not tried to fix that.  For that
> matter, I see other possibilities for buffer overflow in gram.y, such
> as in decl_cursor_arglist.  Buffer overflow of this sort is not good,
> as it means that anybody who is permitted to create functions can
> completely break security.
> 
> Ian
> 
> Index: gram.y
> ===================================================================
> RCS file: /home/projects/pgsql/cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v
> retrieving revision 1.20
> diff -u -p -r1.20 gram.y
> --- gram.y	2001/05/31 17:15:40	1.20
> +++ gram.y	2001/06/06 06:35:46
> @@ -385,7 +385,8 @@ decl_statement	: decl_varname decl_const
>  								*cp2++ = '\\';
>  							*cp2++ = *cp1++;
>  						}
> -						strcat(buf, "'");
> +						*cp2++ = '\'';
> +						*cp2 = '\0';
>  						curname_def->query = strdup(buf);
>  						new->default_val = curname_def;
>  
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
> 
> http://www.postgresql.org/users-lounge/docs/faq.html
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

pgsql-patches by date

Next:From: Bruce MomjianDate: 2001-06-11 04:20:25
Subject: Re: Cursor support buffer patch
Previous:From: Joe ConwayDate: 2001-06-10 22:26:51
Subject: Fw: [HACKERS] Re: Fw: Isn't pg_statistic a security hole - Solution Proposal

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group