| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Winter Loo <winterloo(at)126(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: may be a buffer overflow problem |
| Date: | 2024-06-14 07:55:12 |
| Message-ID: | 74BBCE2E-B024-426A-95F0-D560A1528F73@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 14 Jun 2024, at 09:38, Winter Loo <winterloo(at)126(dot)com> wrote:
> I find the definition of `sqlca->sqlstate` and it has only 5 bytes. When the statement
>
> ```c
> strncpy(sqlca->sqlstate, "YE001", sizeof(sqlca->sqlstate));
> ```
>
> get executed, `sqlca->sqlstate` will have no '\0' byte which makes me anxious when someone prints that as a string.
sqlstate is defined as not being unterminated fixed-length, leaving the callers
to handle termination.
> Indeed, I found the code(in src/interfaces/ecpg/ecpglib/misc.c) does that,
>
> fprintf(debugstream, "[NO_PID]: sqlca: code: %ld, state: %s\n",
> sqlca->sqlcode, sqlca->sqlstate);
This is indeed buggy and need to take the length into account, as per the
attached. This only happens when in the undocumented regression test debug
mode which may be why it's gone unnoticed.
--
Daniel Gustafsson
| Attachment | Content-Type | Size |
|---|---|---|
| ecgp_sqlstate.diff | application/octet-stream | 639 bytes |
| unknown_filename | text/plain | 1 byte |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurenz Albe | 2024-06-14 08:04:45 | Re: may be a buffer overflow problem |
| Previous Message | Bertrand Drouvot | 2024-06-14 07:54:52 | Re: Avoid orphaned objects dependencies, take 3 |