Skip site navigation (1) Skip section navigation (2)

Re: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]

From: Martin Pitt <martin(at)piware(dot)de>
To: pgsql-bugs(at)postgresql(dot)org, pgsql-odbc(at)postgresql(dot)org
Subject: Re: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]
Date: 2004-05-13 23:52:29
Message-ID: 20040513235229.GB29063@web08.manitu.net (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-odbc
Hi!

On 2004-05-13 19:43 +0200, Peter Eisentraut wrote:
> Silently truncating various pieces of information is probably not the 
> right thing.  

But IMHO still better than overwriting arbitrary other data and code.
If an user supplies bogus input, he cannot expect to get something
sane out.

> What are you truncating?  

By now: 

- DSN, username, password, and the whole connection string; 

- table names in info.c:
  make_string(szTableName, cbTableName, pktab, sizeof(pktab));

- Two calls in info.c:
  make_string(szPkTableName, cbPkTableName, pk_table_needed, sizeof(pk_table_needed));
  make_string(szFkTableName, cbFkTableName, fk_table_needed, sizeof(fk_table_needed));

If these values should not be truncated, then psqlodbc should not use
fixed buffer sizes. Currently truncating them is way more sane than
letting them mess up the whole memory.

> If it's a query string you might open yourself up to SQL-injection
> type problems.

I don't think that the patch affects whole query strings, but of
course I may be wrong. The point of this patch was to fix the most
apparent overflows with least possible changes, and after a week of
silence on the lists I just had to do something about it. And now at
least the connection and exec methods seem to work safely.

> Plus, the ODBC driver appears to have buffer overruns all over the 
> place.  We need to replace every instance of strcpy, strcat, sprintf, 
> make_string, and the various other feeble attempts with pqexpbuffer 
> from libpq.  That's the only way to solve this problem once and for 
> all.

I would be glad if the next psqlodbc version would be written in a
sane way, without fixed string lengths and with a clear and safe
string "class" interface. But doing this is far beyond the scope of a
security patch (especially for Debian stable).

One question: which mailing list is the better place to discuss this?
-odbc or -bugs?

Thanks and have a nice day!

Martin

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin(at)piware(dot)de                      mpitt(at)debian(dot)org
http://www.piware.de             http://www.debian.org

In response to

pgsql-odbc by date

Next:From: Yury KolesDate: 2004-05-14 06:41:04
Subject: psqlODBC driver does not work
Previous:From: Peter EisentrautDate: 2004-05-13 17:43:09
Subject: Re: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]

pgsql-bugs by date

Next:From: PostgreSQL Bugs ListDate: 2004-05-14 07:25:14
Subject: BUG #1154: no python interface anymore
Previous:From: Peter EisentrautDate: 2004-05-13 22:47:29
Subject: Re: BUG #1150: grant options not properly checked

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group