Skip site navigation (1) Skip section navigation (2)

Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

From: Martin Pitt <martin(at)piware(dot)de>
To: pgsql-bugs(at)postgresql(dot)org, Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: 247306(at)bugs(dot)debian(dot)org
Subject: Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Date: 2004-05-11 23:47:09
Message-ID: 20040511234709.GB21484@web08.manitu.net (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-odbc
Hi!

On 2004-05-12  1:31 +0200, Peter Eisentraut wrote:
> Martin Pitt wrote:
> > A week ago we at Debian received the bug report below: due to a
> > buffer overflow in psqlodbc it is possible to crash (and possibly
> > exploit) apache. I already sent this mail to the psqlodbc list [1],
> > but unfortunately got no response so far. So maybe there are some
> > hackers here who can help with this?
> 
> The problem is that the ODBC driver just writes the long user name or 
> password into its internal data structures without paying attention the 
> fact that it's only got 256 bytes of space.  (function PGAPI_Connect in 
> file connection.c)  It's the oldest bug in the book really.

Thanks for this hint and spotting the error, I think I see the problem
now: PGAPI_Connect calls

        make_string(szDSN, cbDSN, ci->dsn);
 
to copy the string (and similar with uid and password). ci->dsn is
only MEDIUM_REGISTRY_LEN (256) bytes big, so if cbDSN >= 256, it will
crash. So I suppose the function just has to check the cb* values, and
if one of them is >= 256, return an appropriate error? 

Another possibility would be to add a fourth argument to make_string
that specifies the size of the target buffer (and have it copy
max(stringlen, bufferlen-1) bytes). This would force the correction of
all places where make_string is used (just 13, so it should not get
too hard).

Any comments to that?

Thanks,

Martin

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin(at)piware(dot)de                      mpitt(at)debian(dot)org
http://www.piware.de             http://www.debian.org

In response to

pgsql-odbc by date

Next:From: Martin PittDate: 2004-05-13 09:41:56
Subject: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]
Previous:From: Peter EisentrautDate: 2004-05-11 23:31:37
Subject: Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

pgsql-bugs by date

Next:From: PostgreSQL Bugs ListDate: 2004-05-11 23:51:20
Subject: BUG #1152: Primary key not applied in inherited tables
Previous:From: Peter EisentrautDate: 2004-05-11 23:31:37
Subject: Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group