Re: [Patch] First buffer overflow fixes

> -----Original Message-----
> From: pgsql-odbc-owner(at)postgresql(dot)org
> [mailto:pgsql-odbc-owner(at)postgresql(dot)org] On Behalf Of Peter Eisentraut
> Sent: 09 July 2004 09:02
> To: pgsql-odbc(at)postgresql(dot)org
> Subject: Re: [ODBC] [Patch] First buffer overflow fixes
>
> And here's the patch... :-)
>
> Am Freitag, 9. Juli 2004 00:58 schrieb Peter Eisentraut:
> > Here's a small round of fixes for buffer overflows. They
> are related
> > to the recent security announcement, namely that the make_string()
> > function doesn't check the size of the buffer. The
> solution is mainly
> > based on the patch proposed by Martin Pitt at that time, namely to
> > pass the size of the buffer, but I'm leaning more in favor of
> > dynamically allocating buffers rather than using fixed-size
> arrays, so
> > I used that approach where possible.
> >
> > Please inspect. If no one objects I'll install this patch in a few
> > days.

Looks OK to me - however I noticed a compiler warning in misc.c when
testing - the following patch fixes it:

Index: misc.c
===================================================================
RCS file: /usr/local/cvsroot/psqlodbc/psqlodbc/misc.c,v
retrieving revision 1.39
diff -u -r1.39 misc.c
--- misc.c 9 Dec 2003 10:01:38 -0000 1.39
+++ misc.c 9 Jul 2004 08:48:31 -0000
@@ -266,7 +266,7 @@
char *
make_string(const char *s, int len, char *buf)
{
- int length;
+ unsigned int length;
char *str;

if (s && (len > 0 || (len == SQL_NTS && strlen(s) > 0)))

Regards, Dave.