Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in

On Wed, 21 Aug 2002, Gavin Sherry wrote:

> On Tue, 20 Aug 2002, Thomas Lockhart wrote:
>
> > ...
> > > So I think that fixing the opaque problems in 7.2.x is simply
> > > impossible. Given that, the question is whether we should make a 7.2.2
> > > release with fixes for the other security holes (lpad(), rpad(),
> > > reverse(), and the datetime overruns). IMHO, we should.
> >
> > Just a minor point: can someone actually show a symptom with date/time
> > problems in 7.2.x?
>

[snip]

> server closed the connection unexpectedly
> This probably means the server terminated abnormally
> before or while processing the request.
> The connection to the server was lost. Attempting reset: Failed.
> !#
>
> ParseDateTime() isn't checking that str < MAXDATELEN -- which is the
> problem you solved in the datetime.c fixes.

I had a look at this code on the train. There does not appear to be any
way on conventional hardware manipulate this bug to smash the stack. This
is due to the fact that ParseDateTime() returns to the caller if it
encounters a non-printable character. It would be perhaps one of the most
impressive hacks ever if someone could dream machine code to put in the
overrun which consisted entirely of printable characters.

As such, it is remarkably unlikely that someone could exploit this bug to
execute arbitary code.

Gavin