Bug#264453: [Pkg-firebird-general] Bug#264453: Very likely not
exploitable
Florian Weimer
fw at deneb.enyo.de
Mon Oct 31 08:29:29 UTC 2005
* Damyan Ivanov:
> So I decided to check whether fb_lock_mgr actually uses this source. It seems
> to be linked with jrd statically. (From what I see in the makefile spaghetti)
This is only a problem if it also invokes setlocale, to activate the
localized message files.
> So, what is the code, that is considered unsafe?
I believe it's now in line 959.
| case gds_arg_unix:
| if (code > 0 && code < sys_nerr && (p = (TEXT*)sys_errlist[code]))
| strcpy(s, p);
| else if (code == 60)
| strcpy(s, "connection timed out");
| else if (code == 61)
| strcpy(s, "connection refused");
| else
| sprintf(s, "unknown unix error %ld", code); /* TXNN */
| break;
Just horrible. 8-(
You could check that strlen(ss_errlist[code]) is less than 64 at this
point or something like that. One (very indirect) caller I found
allocates a buffer of 1024 bytes.
But look at the code above:
| case gds_arg_interpreted:
| p = s;
| q = (TEXT *) (*vector)[1];
| while ((*p++ = *q++) /*!= NULL*/);
| break;
This is even more suspicious.
More information about the Pkg-firebird-general
mailing list