Skip Menu |

This queue is for tickets about the DBI CPAN distribution.

Report information
The Basics
Id: 130191
Status: new
Priority: 0/
Queue: DBI
People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 1.642
Fixed in: (no value)

History Show all quoted text
  Fri Jul 26 07:01:09 2019 ppisar [...] redhat.com - Ticket created
Subject: Possible buffer overwrite with overlong driver class name
dbih_setup_handle() in DBI.xs does: static void dbih_setup_handle(pTHX_ SV *orv, char *imp_class, SV *parent, SV *imp_datasv) { [...] char imp_mem_name[300]; [...] strcpy(imp_mem_name, imp_class); strcat(imp_mem_name, "_mem"); [...] } If imp_class argument string value is longer than 300 - strlen("_mem") - 1 bytes, a data will be written past imp_mem_name[] array. The imp_class comes from DBD driver class name (DBI::_new_drh -> _new_handle() -> dbih_setup_handle()). People usually do not use so long package names (e.g. DBD::ExampleP calls DBI::_new_drh() in lib/DBD/ExampleP.pm), but still it would be great to check the length and report an error.
  Fri Jul 26 07:16:10 2019 ppisar [...] redhat.com - Correspondence added
Dne Pá 26.čec.2019 07:01:09, ppisar napsal(a): Show quoted text
> dbih_setup_handle() in DBI.xs does: > > static void > dbih_setup_handle(pTHX_ SV *orv, char *imp_class, SV *parent, SV > *imp_datasv) > { > [...] > char imp_mem_name[300]; > [...] > strcpy(imp_mem_name, imp_class); > strcat(imp_mem_name, "_mem"); > [...] > } > > If imp_class argument string value is longer than 300 - strlen("_mem") > - 1 bytes, a data will be written past imp_mem_name[] array. The > imp_class comes from DBD driver class name (DBI::_new_drh -> > _new_handle() -> dbih_setup_handle()). > > People usually do not use so long package names (e.g. DBD::ExampleP > calls DBI::_new_drh() in lib/DBD/ExampleP.pm), but still it would be > great to check the length and report an error.
Reproducer: $ perl -Iblib/{lib,arch} -MDBI -e 'DBI::_new_drh(q{x} x 300, {}, 0)' *** buffer overflow detected ***: perl terminated Aborted (core dumped)
  Fri Jul 26 07:31:03 2019 ppisar [...] redhat.com - Correspondence added
Dne Pá 26.čec.2019 07:01:09, ppisar napsal(a): Show quoted text
> If imp_class argument string value is longer than 300 - strlen("_mem") > - 1 bytes, a data will be written past imp_mem_name[] array. The > imp_class comes from DBD driver class name (DBI::_new_drh -> > _new_handle() -> dbih_setup_handle()). >
A possible fix is at <https://github.com/perl5-dbi/dbi/pull/83>.