Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd)

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Vince Vielhaber <vev(at)michvhf(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd)
Date: 2002-08-20 20:05:11
Message-ID: 1751.1029873911@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Vince Vielhaber <vev(at)michvhf(dot)com> writes:
> Here's yet another. He claims malicious code can be run on the server
> with this one.

regression=# select repeat('xxx',1431655765);
server closed the connection unexpectedly

This is probably caused by integer overflow in calculating the size of
the repeat's result buffer. It'd take some considerable doing to create
an arbitrary-code exploit, but perhaps could be done. Anyone want to
investigate a patch? I think we likely need something like

bufsize = input_length * repeats;
+ /* check for overflow in multiplication */
+ if (bufsize / repeats != input_length)
+ elog(ERROR, "repeat result too long");

but I haven't thought it through in detail.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Vince Vielhaber 2002-08-20 20:11:26 Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Previous Message Bruce Momjian 2002-08-20 20:04:32 Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in