File: CVE-2015-2788.patch

package info (click to toggle)
libdbd-firebird-perl 0.91-2%2Bdeb7u1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 680 kB
  • sloc: perl: 4,085; ansic: 2,262; makefile: 14
file content (85 lines) | stat: -rw-r--r-- 3,276 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
From a51b14d4729c24033d126ae68413ab4ab45676d6 Mon Sep 17 00:00:00 2001
From: Stefan Roas <stefan.roas@fau.de>
Date: Fri, 13 Mar 2015 17:36:31 +0100
Subject: [PATCH] Buffer Overflow in dbdimp.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi there,

I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
sprintf to a fix-sized buffer that (quite likely in two cases) might be
too small to hold the final result.

Attached you find a patch that solves the problem by increasing the size
of the buffer to a value that should be large enough for every
conceivable input given the conversion specification and additionally
use snprintf() instead of sprintf(). As snprintf() is already used
somewhere else in dbdimp.c I figure there are no portability issues
involved.

I did not check the other uses of sprintf, although it might be
worthwhile to do so as a quick check found other locations where a
fix-sized buffer is involved.

Best regards,
  Stefan

--
Stefan Roas, Datenbanken und studentische Vefahren
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Hugenottenplatz 1A, 91054 Erlangen, Deutschland
Tel.: +49 9131 85-29018
Fax : +49 9131 85-25777
stefan.roas@fau.de
http://www.rrze.fau.de
---
 dbdimp.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/dbdimp.c
+++ b/dbdimp.c
@@ -18,6 +18,8 @@
 
 DBISTATE_DECLARE;
 
+#define ERRBUFSIZE  255
+
 #define IB_SQLtimeformat(xxh, format, sv)                             \
 do {                                                                  \
     STRLEN len;                                                       \
@@ -2187,8 +2189,8 @@
             /*
             * User passed an undef to a field that is not nullable.
             */
-            char err[80];
-            sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i);
+            char err[ERRBUFSIZE];
+            snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i);
             do_error(sth, 1, err);
             retval = FALSE;
             return retval;
@@ -2227,8 +2229,8 @@
             else encoded = (U8*)string;
 
             if (len > ivar->sqllen) {
-                char err[80];
-                sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
+                char err[ERRBUFSIZE];
+                snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
                         (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
                 break;
             }
@@ -2262,8 +2264,8 @@
             else encoded = (U8*)string;
 
             if (len > ivar->sqllen) {
-                char err[80];
-                sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
+                char err[ERRBUFSIZE];
+                snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
                         (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
                 break;
             }