| Bug #3194 | Buffer over-run bugs in MyODBC 3.51.07 | ||
|---|---|---|---|
| Submitted: | 16 Mar 2004 22:06 | Modified: | 15 Jul 2004 16:54 |
| Reporter: | [ name withheld ] | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | Connector / ODBC | Severity: | S2 (Serious) |
| Version: | 3.51.07 | OS: | Any (All) |
| Assigned to: | Timothy Smith | CPU Architecture: | Any |
[29 Jun 2004 17:36]
Timothy Smith
I agree that the code has the fault pointed out by the customer. I was not able to devise a quick test case to demonstrate it (running into a memory allocation error, which may be my incorrect use of SQLBindParameter()).
[14 Jul 2004 18:39]
Peter Harvey
test program (actually just ensures that everthying works after fix - does not prove problem in the first place)
Attachment: test.c (text/plain), 8.56 KiB.
[14 Jul 2004 18:42]
Peter Harvey
Looking at code - it would appear that a problem could occur under specific circumstances. Reviewed possible fixs and implemented customers suggested fix. Created a test program to ensure that everything works fine and attached to this bug.
[15 Jul 2004 16:54]
Timothy Smith
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.
If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information
about accessing the source trees is available at
http://www.mysql.com/doc/en/Installing_source_tree.html
Additional info:
This fix will be available in the next minor release of 3.51.x (I expect 3.51.9).
Description: The execute.c file uses variable length buffers to construct the final SQL statement. In most cases, the length of the buffer is checked before data is added to it, but there are two locations where data is added without checking that the buffer is big enough to hold the data. These happen in the insert_param function in execute.c case SQL_CHAR: case SQL_VARCHAR: case SQL_LONGVARCHAR: case SQL_BINARY: case SQL_VARBINARY: case SQL_LONGVARBINARY: { *to++='\''; to= mysql_odbc_escape_string(mysql, to, (net->max_packet - (ulong) (to - (char*) net->buff)), data, length, (void*) net, extend_escape_buffer); if (to) /* escape was ok */ { *to++='\''; } return to; } The problems are the " *to++= " lines - the buffer to is not checked for correct sizes before being added to. How to repeat: This hasn't caused me to crash yet. I found these problems while trying to fix another bug in the ODBC driver. The buffer starts at 8192 and increases by 8192 when full, so the chances of memory overrun only exist for SQL statements over 8192 bytes in length. Suggested fix: Change the *to++='\'' to: to = add_to_buffer(net,to,"'", 1);