Home > mailing lists

Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd)
Date	August 20, 2002 19:05:18
Msg-id	1751.1029873911@sss.pgh.pa.us Whole thread Raw
In response to	@(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) (Vince Vielhaber <vev@michvhf.com>)
Responses	Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in (Vince Vielhaber <vev@michvhf.com>) Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) (Neil Conway <neilc@samurai.com>)
List	pgsql-hackers

Tree view

Vince Vielhaber <vev@michvhf.com> writes:
> Here's yet another.  He claims malicious code can be run on the server
> with this one.

regression=# select repeat('xxx',1431655765);
server closed the connection unexpectedly

This is probably caused by integer overflow in calculating the size of
the repeat's result buffer.  It'd take some considerable doing to create
an arbitrary-code exploit, but perhaps could be done.  Anyone want to
investigate a patch?  I think we likely need something like
bufsize = input_length * repeats;
+    /* check for overflow in multiplication */
+    if (bufsize / repeats != input_length)
+        elog(ERROR, "repeat result too long");

but I haven't thought it through in detail.
        regards, tom lane

pgsql-hackers by date:

From: Bruce Momjian
Date: 20 August 2002, 19:05:00
Subject: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

From: Vince Vielhaber
Date: 20 August 2002, 19:11:32
Subject: Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in

Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) - Mailing list pgsql-hackers

Previous

Next