Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in

From: Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>
To: Thomas Lockhart <lockhart(at)fourpalms(dot)org>
Cc: Neil Conway <neilc(at)samurai(dot)com>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Date: 2002-08-22 01:39:58
Message-ID: Pine.LNX.4.21.0208221134570.15611-100000@linuxworld.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, 21 Aug 2002, Gavin Sherry wrote:

> On Tue, 20 Aug 2002, Thomas Lockhart wrote:
>
> > ...
> > > So I think that fixing the opaque problems in 7.2.x is simply
> > > impossible. Given that, the question is whether we should make a 7.2.2
> > > release with fixes for the other security holes (lpad(), rpad(),
> > > reverse(), and the datetime overruns). IMHO, we should.
> >
> > Just a minor point: can someone actually show a symptom with date/time
> > problems in 7.2.x?
>

[snip]

> server closed the connection unexpectedly
> This probably means the server terminated abnormally
> before or while processing the request.
> The connection to the server was lost. Attempting reset: Failed.
> !#
>
> ParseDateTime() isn't checking that str < MAXDATELEN -- which is the
> problem you solved in the datetime.c fixes.

I had a look at this code on the train. There does not appear to be any
way on conventional hardware manipulate this bug to smash the stack. This
is due to the fact that ParseDateTime() returns to the caller if it
encounters a non-printable character. It would be perhaps one of the most
impressive hacks ever if someone could dream machine code to put in the
overrun which consisted entirely of printable characters.

As such, it is remarkably unlikely that someone could exploit this bug to
execute arbitary code.

Gavin

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Christopher Kings-Lynne 2002-08-22 01:48:04 Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Previous Message Marc G. Fournier 2002-08-22 00:23:28 libpq++ documentation ...