Re: [BUGS] Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]

#1

Martin Pitt wrote:

Quote:

The problem is that make_string() in misc.c does not check whether
the target buffer is big enough to hold the copied string.

I added a bufsize parameter to make_string() and used it in all calls
to it. I tried it with my php4 crash test script and now it works
properly.

Silently truncating various pieces of information is probably not the
right thing. What are you truncating? If it's a query string you
might open yourself up to SQL-injection type problems.

Plus, the ODBC driver appears to have buffer overruns all over the
place. We need to replace every instance of strcpy, strcat, sprintf,
make_string, and the various other feeble attempts with pqexpbuffer
from libpq. That's the only way to solve this problem once and for
all.

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

#2

Hi!

On 2004-05-13 19:43 +0200, Peter Eisentraut wrote:

Quote:

Silently truncating various pieces of information is probably not the
right thing.

But IMHO still better than overwriting arbitrary other data and code.
If an user supplies bogus input, he cannot expect to get something
sane out.

Quote:

What are you truncating?

By now:

- DSN, username, password, and the whole connection string;

- table names in info.c:
make_string(szTableName, cbTableName, pktab, sizeof(pktab));

- Two calls in info.c:
make_string(szPkTableName, cbPkTableName, pk_table_needed, sizeof(pk_table_needed));
make_string(szFkTableName, cbFkTableName, fk_table_needed, sizeof(fk_table_needed));

If these values should not be truncated, then psqlodbc should not use
fixed buffer sizes. Currently truncating them is way more sane than
letting them mess up the whole memory.

Quote:

If it's a query string you might open yourself up to SQL-injection
type problems.

I don't think that the patch affects whole query strings, but of
course I may be wrong. The point of this patch was to fix the most
apparent overflows with least possible changes, and after a week of
silence on the lists I just had to do something about it. And now at
least the connection and exec methods seem to work safely.

Quote:

Plus, the ODBC driver appears to have buffer overruns all over the
place. We need to replace every instance of strcpy, strcat, sprintf,
make_string, and the various other feeble attempts with pqexpbuffer
from libpq. That's the only way to solve this problem once and for
all.

I would be glad if the next psqlodbc version would be written in a
sane way, without fixed string lengths and with a clear and safe
string "class" interface. But doing this is far beyond the scope of a
security patch (especially for Debian stable).

One question: which mailing list is the better place to discuss this?
-odbc or -bugs?

Thanks and have a nice day!

Martin

--
Martin Pitt Debian GNU/Linux Developer
martin (AT) piware (DOT) de mpitt (AT) debian (DOT) org
http://www.piware.de http://www.debian.org

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo (AT) postgresql (DOT) org

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Re: [BUGS] Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]

mailing.database.pgsql-bugs mailing.database.pgsql-bugs

Re: [BUGS] Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] - 05-13-2004 , 12:55 PM

Re: [BUGS] Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] - 05-13-2004 , 07:03 PM