Re: [Patch] First buffer overflow fixes - Mailing list pgsql-odbc

From Dave Page
Subject Re: [Patch] First buffer overflow fixes
Date
Msg-id E7F85A1B5FF8D44C8A1AF6885BC9A0E40C390E@ratbert.vale-housing.co.uk
Whole thread Raw
In response to [Patch] First buffer overflow fixes  (Peter Eisentraut <peter_e@gmx.net>)
List pgsql-odbc

> -----Original Message-----
> From: pgsql-odbc-owner@postgresql.org
> [mailto:pgsql-odbc-owner@postgresql.org] On Behalf Of Peter Eisentraut
> Sent: 09 July 2004 09:02
> To: pgsql-odbc@postgresql.org
> Subject: Re: [ODBC] [Patch] First buffer overflow fixes
>
> And here's the patch... :-)
>
> Am Freitag, 9. Juli 2004 00:58 schrieb Peter Eisentraut:
> > Here's a small round of fixes for buffer overflows.  They
> are related
> > to the recent security announcement, namely that the make_string()
> > function doesn't check the size of the buffer.  The
> solution is mainly
> > based on the patch proposed by Martin Pitt at that time, namely to
> > pass the size of the buffer, but I'm leaning more in favor of
> > dynamically allocating buffers rather than using fixed-size
> arrays, so
> > I used that approach where possible.
> >
> > Please inspect.  If no one objects I'll install this patch in a few
> > days.

Looks OK to me - however I noticed a compiler warning in misc.c when
testing - the following patch fixes it:

Index: misc.c
===================================================================
RCS file: /usr/local/cvsroot/psqlodbc/psqlodbc/misc.c,v
retrieving revision 1.39
diff -u -r1.39 misc.c
--- misc.c    9 Dec 2003 10:01:38 -0000    1.39
+++ misc.c    9 Jul 2004 08:48:31 -0000
@@ -266,7 +266,7 @@
 char *
 make_string(const char *s, int len, char *buf)
 {
-    int            length;
+    unsigned int            length;
     char       *str;

     if (s && (len > 0 || (len == SQL_NTS && strlen(s) > 0)))


Regards, Dave.

pgsql-odbc by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: [Patch] First buffer overflow fixes
Next
From: Peter Eisentraut
Date:
Subject: unixODBC vs. iODBC