Re: [Patch] First buffer overflow fixes

> -----Original Message-----
> From: pgsql-odbc-owner@postgresql.org
> [mailto:pgsql-odbc-owner@postgresql.org] On Behalf Of Peter Eisentraut
> Sent: 09 July 2004 09:02
> To: pgsql-odbc@postgresql.org
> Subject: Re: [ODBC] [Patch] First buffer overflow fixes
>
> And here's the patch... :-)
>
> Am Freitag, 9. Juli 2004 00:58 schrieb Peter Eisentraut:
> > Here's a small round of fixes for buffer overflows.  They
> are related
> > to the recent security announcement, namely that the make_string()
> > function doesn't check the size of the buffer.  The
> solution is mainly
> > based on the patch proposed by Martin Pitt at that time, namely to
> > pass the size of the buffer, but I'm leaning more in favor of
> > dynamically allocating buffers rather than using fixed-size
> arrays, so
> > I used that approach where possible.
> >
> > Please inspect.  If no one objects I'll install this patch in a few
> > days.

Looks OK to me - however I noticed a compiler warning in misc.c when
testing - the following patch fixes it:

Index: misc.c
===================================================================
RCS file: /usr/local/cvsroot/psqlodbc/psqlodbc/misc.c,v
retrieving revision 1.39
diff -u -r1.39 misc.c
--- misc.c    9 Dec 2003 10:01:38 -0000    1.39
+++ misc.c    9 Jul 2004 08:48:31 -0000
@@ -266,7 +266,7 @@
 char *
 make_string(const char *s, int len, char *buf)
 {
-    int            length;
+    unsigned int            length;
     char       *str;

     if (s && (len > 0 || (len == SQL_NTS && strlen(s) > 0)))


Regards, Dave.