Hi again!
Sorry for crossposting, but I sent the initial post also to -bugs,
because I did not get an answer on -odbc.
On 2004-05-11 12:03 +0200, Martin Pitt wrote:
> I noticed Apache segfaulting when I feed a simple form with long inputs:
>
> [Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)
>
> Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql
driver:
>
> $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])
>
> The output of gdb is:
>
> (gdb) run -X -d apache
> [...]
> [Thread debugging using libthread_db enabled]
> [...]
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1076569920 (LWP 832)]
> 0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so
>
> Or:
> [same stuff here]
> 0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so
>
> I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache
error.logthis message:
>
> free(): invalid pointer 0x41414141!
>
> 0x41 is obviously one of my "A"...
The problem is that make_string() in misc.c does not check whether the
target buffer is big enough to hold the copied string.
I added a bufsize parameter to make_string() and used it in all calls
to it. I tried it with my php4 crash test script and now it works
properly.
The attached patch is for the current stable release 07.03.0200.
Thanks a lot to Peter Eisentraut for pointing me at the problem origin.
Unless you have a better idea it would be nice if you could apply the
patch to the official sources and also include it in the next release.
I will upload updated Debian packages for unstable and stable this
afternoon (16:00 CEST) if nobody reports a problem or a better
solution.
Thanks in advance,
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.de http://www.debian.org
