Re: Found a buffer-overflow defect in asynchronous database connection API PQconnectPoll

Sudheer H R <sudheer.hr@tekenlight.com> writes:
> While trying to sanitise the code for heap buffer overflows I compiled and linked the executable with clang
-fsanitize=“address”option. The connection library indicates a buffer over flow in an internal source code of the
module.

Hm, interesting.  Our code is expecting that gss_display_status() returns
a null-terminated string, but this trace suggests that the string is
not necessarily null-terminated.  The documentation I found on the net
is unclear on the point, and the code I could find is split as to how
the string is treated.  If it's not supposed to be null-terminated,
we're hardly the only ones making that mistake.

In any case, you wouldn't get here unless we'd run into some kind of
problem trying to make a GSS connection.  Could you maybe explain the
conditions you're running this under, and/or print out the failure message
it constructs?

            regards, tom lane