| From: | Neil Conway <neilc(at)samurai(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Vince Vielhaber <vev(at)michvhf(dot)com> |
| Subject: | Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) |
| Date: | 2002-08-21 21:04:22 |
| Message-ID: | 87n0rfnctl.fsf@mailbox.samurai.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Neil Conway <neilc(at)samurai(dot)com> writes:
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
>
> > Vince Vielhaber <vev(at)michvhf(dot)com> writes:
> > > Here's yet another. He claims malicious code can be run on the server
> > > with this one.
> >
> > regression=# select repeat('xxx',1431655765);
> > server closed the connection unexpectedly
> >
> > This is probably caused by integer overflow in calculating the size of
> > the repeat's result buffer. It'd take some considerable doing to create
> > an arbitrary-code exploit, but perhaps could be done. Anyone want to
> > investigate a patch?
>
> This seems to fix the problem:
No, no it does not :-)
Tom pointed out some obvious braindamage in my previous patch. I've
attached a revised version.
Cheers,
Neil
--
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
| Attachment | Content-Type | Size |
|---|---|---|
| repeat_fix-3.patch | text/x-patch | 844 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-21 21:05:01 | Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in |
| Previous Message | Peter Eisentraut | 2002-08-21 20:48:14 | Re: CREATE CAST WITHOUT FUNCTION should require superuserness? |