Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

Hi!

On 2004-05-12 1:31 +0200, Peter Eisentraut wrote:
> Martin Pitt wrote:
> > A week ago we at Debian received the bug report below: due to a
> > buffer overflow in psqlodbc it is possible to crash (and possibly
> > exploit) apache. I already sent this mail to the psqlodbc list [1],
> > but unfortunately got no response so far. So maybe there are some
> > hackers here who can help with this?
>
> The problem is that the ODBC driver just writes the long user name or
> password into its internal data structures without paying attention the
> fact that it's only got 256 bytes of space. (function PGAPI_Connect in
> file connection.c) It's the oldest bug in the book really.

Thanks for this hint and spotting the error, I think I see the problem
now: PGAPI_Connect calls

make_string(szDSN, cbDSN, ci->dsn);

to copy the string (and similar with uid and password). ci->dsn is
only MEDIUM_REGISTRY_LEN (256) bytes big, so if cbDSN >= 256, it will
crash. So I suppose the function just has to check the cb* values, and
if one of them is >= 256, return an appropriate error?

Another possibility would be to add a fourth argument to make_string
that specifies the size of the target buffer (and have it copy
max(stringlen, bufferlen-1) bytes). This would force the correction of
all places where make_string is used (just 13, so it should not get
too hard).

Any comments to that?

Thanks,

Martin

--
Martin Pitt Debian GNU/Linux Developer
martin(at)piware(dot)de mpitt(at)debian(dot)org
http://www.piware.de http://www.debian.org