Postgres Pro
Downloads
Home   >   mailing lists

[PATCH] Fix possible string overflow with sscanf (xlog.c) - Mailing list pgsql-hackers

From Ranier Vilela
Subject [PATCH] Fix possible string overflow with sscanf (xlog.c)
Date
Msg-id MN2PR18MB2927B36C93F904068F07803CE3450@MN2PR18MB2927.namprd18.prod.outlook.com
Whole thread Raw
List pgsql-hackers
Tree view 
Hi,
I know it's very hard, but is possible. Just someone with the knowledge to do.

Here a proof of concept:
#include <stdlib.h>
#include <string.h>

#define MAXPGPATH 256

int main(int argc, char ** argv)
{
    char        tbsoid[MAXPGPATH];
    char        str[MAXPGPATH];
    int            ch,
                prev_ch = -1,
                i = 0,
                n;
    FILE * lfp;

    lfp = fopen("c:\\tmp\\crash.dat", "rb");
    while ((ch = fgetc(lfp)) != EOF)
    {
        if ((ch == '\n' || ch == '\r') && prev_ch != '\\')
        {
            str[i] = '\0';
            if (sscanf(str, "%s %n", tbsoid, &n) != 1) {
               printf("tbsoid size=%u\n", strlen(tbsoid));
               printf("tbsoid=%s\n", tbsoid);
               exit(1);
            }
            i = 0;
            continue;
        }
        else if ((ch == '\n' || ch == '\r') && prev_ch == '\\')
            str[i - 1] = ch;
        else
            str[i++] = ch;
        prev_ch = ch;
    }
    fclose(lfp);
}

Overflow with (MAXPGPATH=256)
C:\usr\src\tests\scanf>sscanf3
tbsoid size=260
tbsoid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx

Now with patch:
C:\usr\src\tests\scanf>sscanf3
tbsoid size=255
tbsoid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx

The solution is simple, but clumsy. I hope that is enough.
sscanf(str, "%1023s %n", tbsoid, &n)

Best regards.
Ranier Vilela
Attachment

pgsql-hackers by date:

Previous
From: Andy Fan
Date:
Subject: Dynamic gathering the values for seq_page_cost/xxx_cost
Next
From: Tatsuro Yamada
Date:
Subject: Re: progress report for ANALYZE