From: | Martin Pitt <martin(at)piware(dot)de> |
---|---|
To: | pgsql-bugs(at)postgresql(dot)org, Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | 247306(at)bugs(dot)debian(dot)org |
Subject: | Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) |
Date: | 2004-05-11 23:47:09 |
Message-ID: | 20040511234709.GB21484@web08.manitu.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs pgsql-odbc |
Hi!
On 2004-05-12 1:31 +0200, Peter Eisentraut wrote:
> Martin Pitt wrote:
> > A week ago we at Debian received the bug report below: due to a
> > buffer overflow in psqlodbc it is possible to crash (and possibly
> > exploit) apache. I already sent this mail to the psqlodbc list [1],
> > but unfortunately got no response so far. So maybe there are some
> > hackers here who can help with this?
>
> The problem is that the ODBC driver just writes the long user name or
> password into its internal data structures without paying attention the
> fact that it's only got 256 bytes of space. (function PGAPI_Connect in
> file connection.c) It's the oldest bug in the book really.
Thanks for this hint and spotting the error, I think I see the problem
now: PGAPI_Connect calls
make_string(szDSN, cbDSN, ci->dsn);
to copy the string (and similar with uid and password). ci->dsn is
only MEDIUM_REGISTRY_LEN (256) bytes big, so if cbDSN >= 256, it will
crash. So I suppose the function just has to check the cb* values, and
if one of them is >= 256, return an appropriate error?
Another possibility would be to add a fourth argument to make_string
that specifies the size of the target buffer (and have it copy
max(stringlen, bufferlen-1) bytes). This would force the correction of
all places where make_string is used (just 13, so it should not get
too hard).
Any comments to that?
Thanks,
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin(at)piware(dot)de mpitt(at)debian(dot)org
http://www.piware.de http://www.debian.org
From | Date | Subject | |
---|---|---|---|
Next Message | PostgreSQL Bugs List | 2004-05-11 23:51:20 | BUG #1152: Primary key not applied in inherited tables |
Previous Message | Peter Eisentraut | 2004-05-11 23:31:37 | Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) |
From | Date | Subject | |
---|---|---|---|
Next Message | Martin Pitt | 2004-05-13 09:41:56 | Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] |
Previous Message | Peter Eisentraut | 2004-05-11 23:31:37 | Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) |