Hi!
On 2004-05-12 1:31 +0200, Peter Eisentraut wrote:
> Martin Pitt wrote:
> > A week ago we at Debian received the bug report below: due to a
> > buffer overflow in psqlodbc it is possible to crash (and possibly
> > exploit) apache. I already sent this mail to the psqlodbc list [1],
> > but unfortunately got no response so far. So maybe there are some
> > hackers here who can help with this?
>
> The problem is that the ODBC driver just writes the long user name or
> password into its internal data structures without paying attention the
> fact that it's only got 256 bytes of space. (function PGAPI_Connect in
> file connection.c) It's the oldest bug in the book really.
Thanks for this hint and spotting the error, I think I see the problem
now: PGAPI_Connect calls
make_string(szDSN, cbDSN, ci->dsn);
to copy the string (and similar with uid and password). ci->dsn is
only MEDIUM_REGISTRY_LEN (256) bytes big, so if cbDSN >= 256, it will
crash. So I suppose the function just has to check the cb* values, and
if one of them is >= 256, return an appropriate error?
Another possibility would be to add a fourth argument to make_string
that specifies the size of the target buffer (and have it copy
max(stringlen, bufferlen-1) bytes). This would force the correction of
all places where make_string is used (just 13, so it should not get
too hard).
Any comments to that?
Thanks,
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.de http://www.debian.org
