Home > mailing lists

Re: may be a buffer overflow problem - Mailing list pgsql-hackers

From	Daniel Gustafsson
Subject	Re: may be a buffer overflow problem
Date	June 14 10:55:12
Msg-id	74BBCE2E-B024-426A-95F0-D560A1528F73@yesql.se Whole thread Raw
In response to	may be a buffer overflow problem ("Winter Loo" <winterloo@126.com>)
Responses	Re: may be a buffer overflow problem Re: may be a buffer overflow problem
List	pgsql-hackers

Tree view

> On 14 Jun 2024, at 09:38, Winter Loo <winterloo@126.com> wrote:

> I find the definition of `sqlca->sqlstate` and it has only 5 bytes. When the statement
>
> ```c
> strncpy(sqlca->sqlstate, "YE001", sizeof(sqlca->sqlstate));
> ```
>
> get executed, `sqlca->sqlstate` will have no '\0' byte which makes me anxious when someone prints that as a string.

sqlstate is defined as not being unterminated fixed-length, leaving the callers
to handle termination.

> Indeed, I found the code(in src/interfaces/ecpg/ecpglib/misc.c) does that,
>
> fprintf(debugstream, "[NO_PID]: sqlca: code: %ld, state: %s\n",
> sqlca->sqlcode, sqlca->sqlstate);

This is indeed buggy and need to take the length into account, as per the
attached.  This only happens when in the undocumented regression test debug
mode which may be why it's gone unnoticed.

--
Daniel Gustafsson

Attachment

ecgp_sqlstate.diff

pgsql-hackers by date:

From: Bertrand Drouvot
Date: 14 June, 10:54:52
Subject: Re: Avoid orphaned objects dependencies, take 3

From: Laurenz Albe
Date: 14 June, 11:04:45
Subject: Re: may be a buffer overflow problem

Re: may be a buffer overflow problem - Mailing list pgsql-hackers

Attachment

Previous

Next