| From: | Martin Pitt <mpitt(at)debian(dot)org> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org, pgsql-odbc(at)postgresql(dot)org |
| Cc: | 247306(at)bugs(dot)debian(dot)org, Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Subject: | Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] |
| Date: | 2004-05-13 09:41:56 |
| Message-ID: | 20040513094155.GA28717@ifsr.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-odbc |
Hi again!
Sorry for crossposting, but I sent the initial post also to -bugs,
because I did not get an answer on -odbc.
On 2004-05-11 12:03 +0200, Martin Pitt wrote:
> I noticed Apache segfaulting when I feed a simple form with long inputs:
>
> [Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)
>
> Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:
>
> $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])
>
> The output of gdb is:
>
> (gdb) run -X -d apache
> [...]
> [Thread debugging using libthread_db enabled]
> [...]
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1076569920 (LWP 832)]
> 0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so
>
> Or:
> [same stuff here]
> 0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so
>
> I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message:
>
> free(): invalid pointer 0x41414141!
>
> 0x41 is obviously one of my "A"...
The problem is that make_string() in misc.c does not check whether the
target buffer is big enough to hold the copied string.
I added a bufsize parameter to make_string() and used it in all calls
to it. I tried it with my php4 crash test script and now it works
properly.
The attached patch is for the current stable release 07.03.0200.
Thanks a lot to Peter Eisentraut for pointing me at the problem origin.
Unless you have a better idea it would be nice if you could apply the
patch to the official sources and also include it in the next release.
I will upload updated Debian packages for unstable and stable this
afternoon (16:00 CEST) if nobody reports a problem or a better
solution.
Thanks in advance,
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin(at)piware(dot)de mpitt(at)debian(dot)org
http://www.piware.de http://www.debian.org
| Attachment | Content-Type | Size |
|---|---|---|
| psqlodbc-make_string.patch | text/plain | 6.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurent FAILLIE | 2004-05-13 09:57:18 | Re: BUG #1151: Initdb fails ... |
| Previous Message | Tom Lane | 2004-05-12 18:58:37 | Re: BUG #1153: to_ascii() doesn't work on eth ( ) |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2004-05-13 17:43:09 | Re: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] |
| Previous Message | Martin Pitt | 2004-05-11 23:47:09 | Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) |