[PATCH] Fix possible string overflow with sscanf (xlog.c)

From: Ranier Vilela <ranier_gyn(at)hotmail(dot)com>
To: "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: [PATCH] Fix possible string overflow with sscanf (xlog.c)
Date: 2019-11-26 01:51:30
Message-ID: MN2PR18MB2927B36C93F904068F07803CE3450@MN2PR18MB2927.namprd18.prod.outlook.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,
I know it's very hard, but is possible. Just someone with the knowledge to do.

Here a proof of concept:
#include <stdlib.h>
#include <string.h>

#define MAXPGPATH 256

int main(int argc, char ** argv)
{
char tbsoid[MAXPGPATH];
char str[MAXPGPATH];
int ch,
prev_ch = -1,
i = 0,
n;
FILE * lfp;

lfp = fopen("c:\\tmp\\crash.dat", "rb");
while ((ch = fgetc(lfp)) != EOF)
{
if ((ch == '\n' || ch == '\r') && prev_ch != '\\')
{
str[i] = '\0';
if (sscanf(str, "%s %n", tbsoid, &n) != 1) {
printf("tbsoid size=%u\n", strlen(tbsoid));
printf("tbsoid=%s\n", tbsoid);
exit(1);
}
i = 0;
continue;
}
else if ((ch == '\n' || ch == '\r') && prev_ch == '\\')
str[i - 1] = ch;
else
str[i++] = ch;
prev_ch = ch;
}
fclose(lfp);
}

Overflow with (MAXPGPATH=256)
C:\usr\src\tests\scanf>sscanf3
tbsoid size=260
tbsoid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx

Now with patch:
C:\usr\src\tests\scanf>sscanf3
tbsoid size=255
tbsoid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx

The solution is simple, but clumsy. I hope that is enough.
sscanf(str, "%1023s %n", tbsoid, &n)

Best regards.
Ranier Vilela

Attachment Content-Type Size
xlog.c.patch text/x-patch 1.1 KB

Browse pgsql-hackers by date

  From Date Subject
Next Message Tatsuro Yamada 2019-11-26 02:32:01 Re: progress report for ANALYZE
Previous Message Andy Fan 2019-11-26 00:59:22 Dynamic gathering the values for seq_page_cost/xxx_cost