Home > mailing lists

Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) - Mailing list pgsql-hackers

From	Neil Conway
Subject	Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd)
Date	August 20, 2002 19:32:28
Msg-id	87ofbxb7bd.fsf@mailbox.samurai.com Whole thread Raw
In response to	Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) (Tom Lane <tgl@sss.pgh.pa.us>) Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) (Neil Conway <neilc@samurai.com>)
List	pgsql-hackers

Tree view

Tom Lane <tgl@sss.pgh.pa.us> writes:

> Vince Vielhaber <vev@michvhf.com> writes:
> > Here's yet another.  He claims malicious code can be run on the server
> > with this one.
>
> regression=# select repeat('xxx',1431655765);
> server closed the connection unexpectedly
>
> This is probably caused by integer overflow in calculating the size of
> the repeat's result buffer.  It'd take some considerable doing to create
> an arbitrary-code exploit, but perhaps could be done.  Anyone want to
> investigate a patch?

This seems to fix the problem:

nconway=# select repeat('xxx',1431655765);
ERROR:  Requested buffer is too large.

It uses the logic you suggested. Just a quick and dirty fix, I may
have missed something... The patch applies cleanly to both CVS HEAD
and the 7.2 stable branch.

Cheers,

Neil

--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC

Attachment

repeat_fix.patch

pgsql-hackers by date:

From: Bruce Momjian
Date: 20 August 2002, 19:30:15
Subject: Re: bison news

From: Tom Lane
Date: 20 August 2002, 19:34:13
Subject: Re: bison news

Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd) - Mailing list pgsql-hackers

Attachment

Previous

Next