Skip site navigation (1) Skip section navigation (2)

Re: [Patch] First buffer overflow fixes

From: "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk>
To: "Peter Eisentraut" <peter_e(at)gmx(dot)net>, <pgsql-odbc(at)postgresql(dot)org>
Subject: Re: [Patch] First buffer overflow fixes
Date: 2004-07-09 08:52:15
Message-ID: E7F85A1B5FF8D44C8A1AF6885BC9A0E40C390E@ratbert.vale-housing.co.uk (view raw or flat)
Thread:
Lists: pgsql-odbc
 

> -----Original Message-----
> From: pgsql-odbc-owner(at)postgresql(dot)org 
> [mailto:pgsql-odbc-owner(at)postgresql(dot)org] On Behalf Of Peter Eisentraut
> Sent: 09 July 2004 09:02
> To: pgsql-odbc(at)postgresql(dot)org
> Subject: Re: [ODBC] [Patch] First buffer overflow fixes
> 
> And here's the patch... :-)
> 
> Am Freitag, 9. Juli 2004 00:58 schrieb Peter Eisentraut:
> > Here's a small round of fixes for buffer overflows.  They 
> are related 
> > to the recent security announcement, namely that the make_string() 
> > function doesn't check the size of the buffer.  The 
> solution is mainly 
> > based on the patch proposed by Martin Pitt at that time, namely to 
> > pass the size of the buffer, but I'm leaning more in favor of 
> > dynamically allocating buffers rather than using fixed-size 
> arrays, so 
> > I used that approach where possible.
> >
> > Please inspect.  If no one objects I'll install this patch in a few 
> > days.

Looks OK to me - however I noticed a compiler warning in misc.c when
testing - the following patch fixes it:

Index: misc.c
===================================================================
RCS file: /usr/local/cvsroot/psqlodbc/psqlodbc/misc.c,v
retrieving revision 1.39
diff -u -r1.39 misc.c
--- misc.c	9 Dec 2003 10:01:38 -0000	1.39
+++ misc.c	9 Jul 2004 08:48:31 -0000
@@ -266,7 +266,7 @@
 char *
 make_string(const char *s, int len, char *buf)
 {
-	int			length;
+	unsigned int			length;
 	char	   *str;
 
 	if (s && (len > 0 || (len == SQL_NTS && strlen(s) > 0)))


Regards, Dave.

pgsql-odbc by date

Next:From: Local CuberDate: 2004-07-09 13:34:10
Subject: Re: Emergent: get table names from SageLine50 by ODBC
Previous:From: Peter EisentrautDate: 2004-07-09 08:01:35
Subject: Re: [Patch] First buffer overflow fixes

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group