Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] - Mailing list pgsql-bugs

From Martin Pitt
Subject Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]
Date
Msg-id 20040513094155.GA28717@ifsr.de
Whole thread Raw
In response to Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)  (Martin Pitt <martin@piware.de>)
List pgsql-bugs
Hi again!

Sorry for crossposting, but I sent the initial post also to -bugs,
because I did not get an answer on -odbc.

On 2004-05-11 12:03 +0200, Martin Pitt wrote:
> I noticed Apache segfaulting when I feed a simple form with long inputs:
>
>     [Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)
>
> Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql
driver:
>
>     $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])
>
> The output of gdb is:
>
>     (gdb) run -X -d apache
>     [...]
>     [Thread debugging using libthread_db enabled]
>     [...]
>     Program received signal SIGSEGV, Segmentation fault.
>     [Switching to Thread 1076569920 (LWP 832)]
>     0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so
>
> Or:
>     [same stuff here]
>     0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so
>
> I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache
error.logthis message: 
>
>     free(): invalid pointer 0x41414141!
>
> 0x41 is obviously one of my "A"...

The problem is that make_string() in misc.c does not check whether the
target buffer is big enough to hold the copied string.

I added a bufsize parameter to make_string() and used it in all calls
to it. I tried it with my php4 crash test script and now it works
properly.

The attached patch is for the current stable release 07.03.0200.

Thanks a lot to Peter Eisentraut for pointing me at the problem origin.

Unless you have a better idea it would be nice if you could apply the
patch to the official sources and also include it in the next release.

I will upload updated Debian packages for unstable and stable this
afternoon (16:00 CEST) if nobody reports a problem or a better
solution.

Thanks in advance,

Martin

--
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org

Attachment

pgsql-bugs by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Patch for not going beyond NOFILE system limit
Next
From: "Tomasz Lisica"
Date:
Subject: problem