develooper Front page | perl.dbi.dev | Postings from August 2019

[perl5-dbi/dbi] 36f2a2: Fix a buffer overlfow on an overlong DBDclass name

From:
Tim Bunce
Date:
August 2, 2019 04:21
Subject:
[perl5-dbi/dbi] 36f2a2: Fix a buffer overlfow on an overlong DBDclass name
Message ID:
perl5-dbi/dbi/push/refs/heads/master/a0e175-eaf547@github.com
  Branch: refs/heads/master

  Home:   https://github.com/perl5-dbi/dbi

  Commit: 36f2a2c5fea36d7d47d6871e420286643460e71b

      https://github.com/perl5-dbi/dbi/commit/36f2a2c5fea36d7d47d6871e420286643460e71b

  Author: Petr Písař <ppisar@redhat.com>

  Date:   2019-08-01 (Thu, 01 Aug 2019)



  Changed paths:

    M DBI.xs

    M t/02dbidrv.t



  Log Message:

  -----------

  Fix a buffer overlfow on an overlong DBD class name



dbih_setup_handle() in DBI.xs does:



static void

dbih_setup_handle(pTHX_ SV *orv, char *imp_class, SV *parent, SV *imp_datasv)

{

    [...]

    char imp_mem_name[300];

    [...]

    strcpy(imp_mem_name, imp_class);

    strcat(imp_mem_name, "_mem");

    [...]

}



If imp_class argument string value is longer than 300 - strlen("_mem")

- 1 bytes, a data will be written past imp_mem_name[] array. The

imp_class comes from DBD driver class name (DBI::_new_drh ->

_new_handle() -> dbih_setup_handle()).



People usually do not use so long package names (e.g. DBD::ExampleP

calls DBI::_new_drh() in lib/DBD/ExampleP.pm), so the risk is low.



Reproducer:



$ perl -MDBI -e 'DBI::_new_drh(q{x} x 300, {}, 0)'

*** buffer overflow detected ***: perl terminated

Aborted (core dumped)



https://rt.cpan.org/Ticket/Display.html?id=130191





  Commit: eaf547a5696b8530b597f82dbb094ff1e3f6713d

      https://github.com/perl5-dbi/dbi/commit/eaf547a5696b8530b597f82dbb094ff1e3f6713d

  Author: Tim Bunce <Tim.Bunce@pobox.com>

  Date:   2019-08-01 (Thu, 01 Aug 2019)



  Changed paths:

    M DBI.xs

    M t/02dbidrv.t



  Log Message:

  -----------

  Merge pull request #83 from ppisar/imp_mem_name



Fix a buffer overlfow on an overlong DBD class name





Compare: https://github.com/perl5-dbi/dbi/compare/a0e17557590f...eaf547a5696b




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About