Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]
| От | Martin Pitt |
|---|---|
| Тема | Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] |
| Дата | |
| Msg-id | 20040513094155.GA28717@ifsr.de обсуждение исходный текст |
| Ответ на | Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) (Martin Pitt <martin@piware.de>) |
| Список | pgsql-bugs |
Hi again! Sorry for crossposting, but I sent the initial post also to -bugs, because I did not get an answer on -odbc. On 2004-05-11 12:03 +0200, Martin Pitt wrote: > I noticed Apache segfaulting when I feed a simple form with long inputs: > > [Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11) > > Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver: > > $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password']) > > The output of gdb is: > > (gdb) run -X -d apache > [...] > [Thread debugging using libthread_db enabled] > [...] > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 1076569920 (LWP 832)] > 0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so > > Or: > [same stuff here] > 0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so > > I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.logthis message: > > free(): invalid pointer 0x41414141! > > 0x41 is obviously one of my "A"... The problem is that make_string() in misc.c does not check whether the target buffer is big enough to hold the copied string. I added a bufsize parameter to make_string() and used it in all calls to it. I tried it with my php4 crash test script and now it works properly. The attached patch is for the current stable release 07.03.0200. Thanks a lot to Peter Eisentraut for pointing me at the problem origin. Unless you have a better idea it would be nice if you could apply the patch to the official sources and also include it in the next release. I will upload updated Debian packages for unstable and stable this afternoon (16:00 CEST) if nobody reports a problem or a better solution. Thanks in advance, Martin -- Martin Pitt Debian GNU/Linux Developer martin@piware.de mpitt@debian.org http://www.piware.de http://www.debian.org
Вложения
В списке pgsql-bugs по дате отправления: