Bug#780925: DBD-Firebird: Buffer Overflow in dbdimp.c
Damyan Ivanov
dmn at debian.org
Sat Mar 21 21:23:06 UTC 2015
Package: libdbd-firebird-perl
Version: 0.91-2
Severity: grave
Tags: security upstream patch
X-Debbugs-CC: security at debian.org
Filing as a bug report.
----- Forwarded message from Stefan Roas <stefan.roas at fau.de> -----
From: Stefan Roas <stefan.roas at fau.de>
Subject: [Dbd-firebird-devel] Buffer Overflow in dbdimp.c
To: dbd-firebird-devel at lists.alioth.debian.org
Date: Fri, 13 Mar 2015 17:36:31 +0100
Hi there,
I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
sprintf to a fix-sized buffer that (quite likely in two cases) might be
too small to hold the final result.
Attached you find a patch that solves the problem by increasing the size
of the buffer to a value that should be large enough for every
conceivable input given the conversion specification and additionally
use snprintf() instead of sprintf(). As snprintf() is already used
somewhere else in dbdimp.c I figure there are no portability issues
involved.
I did not check the other uses of sprintf, although it might be
worthwhile to do so as a quick check found other locations where a
fix-sized buffer is involved.
Best regards,
Stefan
--
Stefan Roas, Datenbanken und studentische Vefahren
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Hugenottenplatz 1A, 91054 Erlangen, Deutschland
Tel.: +49 9131 85-29018
Fax : +49 9131 85-25777
stefan.roas at fau.de
http://www.rrze.fau.de
diff --git a/dbdimp.c b/dbdimp.c
index d985368..dbdf8e3 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -21,6 +21,8 @@
DBISTATE_DECLARE;
+#define ERRBUFSIZE 255
+
#define IB_SQLtimeformat(xxh, format, sv) \
do { \
STRLEN len; \
@@ -2237,8 +2239,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
/*
* User passed an undef to a field that is not nullable.
*/
- char err[80];
- sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i);
+ char err[ERRBUFSIZE];
+ snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i);
do_error(sth, 1, err);
retval = FALSE;
return retval;
@@ -2278,8 +2280,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
string = SvPV(value, len);
if (len > ivar->sqllen) {
- char err[80];
- sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
+ char err[ERRBUFSIZE];
+ snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
(long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
break;
}
@@ -2301,8 +2303,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
string = SvPV(value, len);
if (len > ivar->sqllen) {
- char err[80];
- sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
+ char err[ERRBUFSIZE];
+ snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
(long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
break;
}
----- End forwarded message -----
More information about the pkg-perl-maintainers
mailing list