Bug #63235 [Opn]: buffer overflow in use of SQLGetDiagRec

Mon, 08 Oct 2012 19:13:20 -0700 

Edit report at https://bugs.php.net/bug.php?id=63235&edit=1

 ID:                 63235
 Updated by:         larue...@php.net
 Reported by:        r...@php.net
 Summary:            buffer overflow in use of SQLGetDiagRec
 Status:             Open
 Type:               Bug
 Package:            PDO related
 Operating System:   GNU/Linux
 PHP Version:        5.4.7
 Block user comment: N
 Private report:     N

 New Comment:

yeah, I think you can commit that patch. thanks


Previous Comments:
------------------------------------------------------------------------
[2012-10-08 18:14:02] r...@php.net

@laruence, I agree, but is this case should rather be SQL_MAX_MESSAGE_LENGTH+1 
as used in unixODBC source code.

But this have no risk as this is (mostly) protected by the buffer_length arg.

>From extract_sql_error_rec function source code
(unixODBC-2.3.1/DriverManager/SQLGetDiagRec.c)

    if ( sqlstate )
        strcpy((char*) sqlstate, "00000" );

Here is the buffer overflow issue (no length protection).

------------------------------------------------------------------------
[2012-10-08 15:35:02] larue...@php.net

maybe the discard_buf should also be consistent with struct 
pdo_odbc_errinfo.last_err_msg 

which is "char last_err_msg[SQL_MAX_MESSAGE_LENGTH];"

diff is:

diff --git a/ext/pdo_odbc/odbc_driver.c b/ext/pdo_odbc/odbc_driver.c
index 84a147b..2176051 100755
--- a/ext/pdo_odbc/odbc_driver.c
+++ b/ext/pdo_odbc/odbc_driver.c
@@ -114,8 +114,8 @@ void pdo_odbc_error(pdo_dbh_t *dbh, pdo_stmt_t *stmt, 
PDO_ODBC_HSTMT statement,
         * diagnostic records (which can be generated by PRINT statements
         * in the query, for instance). */
        while (rc == SQL_SUCCESS || rc == SQL_SUCCESS_WITH_INFO) {
-               char discard_state[5];
-               char discard_buf[1024];
+               char discard_state[6];
+               char discard_buf[SQL_MAX_MESSAGE_LENGTH];
                SQLINTEGER code;
                rc = SQLGetDiagRec(htype, eh, recno++, discard_state, &code,
                                discard_buf, sizeof(discard_buf)-1, 
&errmsgsize);

------------------------------------------------------------------------
[2012-10-08 07:37:02] r...@php.net

The following patch has been added/updated:

Patch Name: php-5.3.3-pdo-overflow.patch
Revision:   1349681821
URL:        
https://bugs.php.net/patch-display.php?bug=63235&patch=php-5.3.3-pdo-overflow.patch&revision=1349681821

------------------------------------------------------------------------
[2012-10-08 07:36:51] r...@php.net

Description:
------------
Already report on internals http://marc.info/?t=134262688600006&r=1&w=2

Discard state is 5 char long, so buffer must be 6.

Trivial fix attached.
(could apply in all branches)




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63235&edit=1

Reply via email to