| Subject: | harness DBIc_TYPE switch |
I already added this patch to the other security ticket of mine, but it was never applied.
Handle all allowed cases for DBIc_TYPE(imp), and fail when abused.
As shown in the security case with use-after-free.
| Subject: | dbi.patch |
Index: DBI.xs
===================================================================
--- DBI.xs (revision 15622)
+++ DBI.xs (working copy)
@@ -1369,6 +1369,7 @@
imp_xxh_t *imp;
imp_xxh_t *parent_imp;
int trace_level;
+ int htype;
h = dbih_inner(aTHX_ orv, "dbih_setup_handle");
parent = dbih_inner(aTHX_ parent, NULL); /* check parent valid (& inner) */
@@ -1478,7 +1479,8 @@
DBIc_LongReadLen(imp) = DBIc_LongReadLen_init;
}
- switch (DBIc_TYPE(imp)) {
+ htype = DBIc_TYPE(imp);
+ switch (htype) {
case DBIt_DB:
/* cache _inner_ handle, but also see quick_FETCH */
(void)hv_store((HV*)SvRV(h), "Driver", 6, newRV_inc(SvRV(parent)), 0);
@@ -1492,10 +1494,15 @@
tmp_svp = hv_fetch((HV*)SvRV(h), "Statement", 9, 1);
(void)hv_store((HV*)SvRV(parent), "Statement", 9, SvREFCNT_inc(*tmp_svp), 0);
break;
+ case DBIt_DR:
+ case DBIt_FD:
+ break;
+ default:
+ die("Wrong DBIc_TYPE %d=%s", htype, dbih_htype_name(htype));
}
}
else
- die("panic: invalid DBIc_TYPE");
+ die("panic: invalid DBIc_TYPE %d", DBIc_TYPE(imp));
/* Use DBI magic on inner handle to carry handle attributes */
/* Note that we store the imp_sv in mg_obj, but as a shortcut, */