Bug 178925 - SQLGetInfo buffer overflow when called to get "SQL_DBMS_VER"
SQLGetInfo buffer overflow when called to get "SQL_DBMS_VER"
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: unixODBC (Show other bugs)
4
All Linux
low Severity medium
: ---
: ---
Assigned To: Tom Lane
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-25 10:26 EST by Brian Bielinski
Modified: 2013-07-02 23:07 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-22 14:11:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian Bielinski 2006-01-25 10:26:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:

buffer overflow when calling SQLGetInfo for item #18 (SQL_DBMS_VER).

i believe this is similar to bug #80394

Version-Release number of selected component (if applicable):
postgresql-odbc-08.00.0100-1 and postgresql-odbc-08.01.0102-1

How reproducible:
Always

Steps to Reproduce:
1. call "SQLGetInfo" to get value #18 (which is SQL_DBMS_VER)
  
I've called this through a perl script as well as through other software...

Actual Results:  *** buffer overflow detected ***: /usr/bin/perl terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x2fac45]
/lib/libc.so.6(__vsprintf_chk+0x0)[0x2fa510]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x27d858]
/lib/libc.so.6(_IO_vfprintf+0x363f)[0x25b141]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x2fa5b1]
/lib/libc.so.6(__sprintf_chk+0x30)[0x2fa504]
/usr/lib/libodbcpsql.so(SQLGetInfo+0xcb6)[0x504e99]
/usr/lib/libodbc.so.1(SQLGetInfo+0x616)[0x391a66]
/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/DBD/ODBC/ODBC.so(odbc_get_info+0xaa)[0x142edf]
/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/DBD/ODBC/ODBC.so(XS_DBD__ODBC__db__GetInfo+0x17b)[0x13b02f]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so(Perl_pp_entersub+0x3a5)[0x4e21bcc]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so(Perl_runops_debug+0x141)[0x4e03b01]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so[0x4db1b9e]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so(Perl_call_sv+0x52a)[0x4db6045]
/usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi/auto/DBI/DBI.so(XS_DBI_dispatch+0x12c8)[0x689200]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so(Perl_pp_entersub+0x3a5)[0x4e21bcc]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so(Perl_runops_debug+0x141)[0x4e03b01]
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so(perl_run+0x445)[0x4db6f51]
/usr/bin/perl(main+0x130)[0x80493f4]
/lib/libc.so.6(__libc_start_main+0xdf)[0x231d5f]
/usr/bin/perl[0x8049241]
======= Memory map: ========
00111000-0012f000 r-xp 00000000 fd:00 33947775   /usr/lib/perl5/5.8.6/i386-linux-thread-multi/auto/POSIX/POSIX.so
0012f000-00130000 rwxp 0001d000 fd:00 33947775   /usr/lib/perl5/5.8.6/i386-linux-thread-multi/auto/POSIX/POSIX.so
00130000-0014e000 r-xp 00000000 fd:00 34705813   /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/DBD/ODBC/ODBC.so
0014e000-0014f000 rwxp 0001e000 fd:00 34705813   /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/DBD/ODBC/ODBC.so
0014f000-00158000 r-xp 00000000 fd:00 458804     /lib/libnss_files-2.3.5.so
00158000-00159000 r-xp 00008000 fd:00 458804     /lib/libnss_files-2.3.5.so
00159000-0015a000 rwxp 00009000 fd:00 458804     /lib/libnss_files-2.3.5.so
00191000-00196000 r-xp 00000000 fd:00 458868     /lib/libcrypt-2.3.5.so
00196000-00197000 r-xp 00004000 fd:00 458868     /lib/libcrypt-2.3.5.so
00197000-00198000 rwxp 00005000 fd:00 458868     /lib/libcrypt-2.3.5.so
00198000-001bf000 rwxp 00198000 00:00 0
001ff000-00219000 r-xp 00000000 fd:00 458819     /lib/ld-2.3.5.so
00219000-0021a000 r-xp 00019000 fd:00 458819     /lib/ld-2.3.5.so
0021a000-0021b000 rwxp 0001a000 fd:00 458819     /lib/ld-2.3.5.so
0021d000-00340000 r-xp 00000000 fd:00 458823     /lib/libc-2.3.5.so
00340000-00342000 r-xp 00123000 fd:00 458823     /lib/libc-2.3.5.so
00342000-00344000 rwxp 00125000 fd:00 458823     /lib/libc-2.3.5.so
00344000-00346000 rwxp 00344000 00:00 0
00348000-0036b000 r-xp 00000000 fd:00 458847     /lib/libm-2.3.5.so
0036b000-0036c000 r-xp 00022000 fd:00 458847     /lib/libm-2.3.5.so
0036c000-0036d000 rwxp 00023000 fd:00 458847     /lib/libm-2.3.5.so
0036f000-00371000 r-xp 00000000 fd:00 458849     /lib/libdl-2.3.5.so
00371000-00372000 r-xp 00001000 fd:00 458849     /lib/libdl-2.3.5.so
00372000-00373000 rwxp 00002000 fd:00 458849     /lib/libdl-2.3.5.so
00373000-003d7000 r-xp 00000000 fd:00 33856443   /usr/lib/libodbc.so.1.0.0
003d7000-003dc000 rwxp 00063000 fd:00 33856443   /usr/lib/libodbc.so.1.0.0
00460000-0046e000 r-xp 00000000 fd:00 458869     /lib/libpthread-2.3.5.so
0046e000-0046f000 r-xp 0000d000 fd:00 458869     /lib/libpthread-2.3.5.so
0046f000-00470000 rwxp 0000e000 fd:00 458869     /lib/libpthread-2.3.5.so
00470000-00472000 rwxp 00470000 00:00 0 Aborted


Additional info:
Comment 1 Brian Bielinski 2006-01-26 12:31:37 EST
-=-=-= this is the perl script which shows the prob
#!/usr/bin/perl -w

# must have "DBD::ODBC" installed i used cpan2rpm...
use DBI;

# test is a postgresql database owned by me (brian)
my $dbh = DBI->connect('dbi:ODBC:test','brian')
	or die "Unable to connect: ".$DBI::errstr."\n";

print "Driver : " . $dbh->{Driver}->{Name} . "\n";
print "Driver : SQL_DBMS_NAME " . $dbh->func(17, GetInfo) . "\n";
# this next line causes the overflow
print "Driver : SQL_DBMS_VER " . $dbh->func(18, GetInfo) . "\n";
Comment 2 Tom Lane 2006-01-27 13:32:32 EST
Could you be more specific about how you set up DBD::ODBC?  Running "cpan2rpm
DBD::ODBC" fails for me with a complaint about not knowing which driver manager
to use.  I'm disinclined to guess about this since it might well be related...
Comment 3 Brian Bielinski 2006-01-27 17:09:52 EST
1) try running "odbctest" from a command line...
2) menu "Conn"->"Full Connect"
3) enter odbc DSN stuff for an already set up _postgresql_ database
4) hit "OK"
5) should see "Full Connect Succeeded" in the lower window
6) (just to test...) "Conn"->"SQLGetInfo"
7) (still testing...) in the "Info Type" listbox select "SQL_DBMS_NAME=17"
8) hit "OK"   
9 should see "Postgresql" ( THIS WORKS!!!)
10) (now the bug) "Conn"->"SQLGetInfo"
11) in the "Info Type" listbox select "SQL_DBMS_VER=18"
12) hit "OK" and....    BLAMMO!!!!
13) read your buffer overflow output on the command line...

i really think you should read bug #80394 and look at the last comment...
this might be a lead. 

in my current "/usr/src/debug/psqlodbc-08.01.0102/psqlodbc.h" the
MAX_INFO_STRING is 128

btw: the way I built the perl-dbd-odbc rpm is "export ODBCHOME=/usr; cpan2rpm
DBD::ODBC".  i called SQLGetInfo for every value from 0 to 5000. the only one it
blows up on is 18.

cheers!
Comment 4 Tom Lane 2006-01-28 12:17:54 EST
Doh, I just looked at your stack trace more closely, and realized that you are
running the wrong ODBC driver:
$ rpm -qf /usr/lib/libodbcpsql.so
unixODBC-2.2.11-3.FC4.1

That's the horribly obsolete one that's included in the unixODBC distribution,
*not* the one from the psqlodbc package.  You need to repoint your DSN to
Driver=/usr/lib/psqlodbc.so
Setup=/usr/lib/psqlodbc.so
(or possibly /usr/lib64/, if you really are on x86_64)

I'll patch the unixODBC driver next time I have occasion to turn the package,
but really that code is going to go away entirely someday soon.  I think the
unixODBC developers have already agreed to remove it upstream.
Comment 5 Christian Iseli 2007-01-19 19:28:19 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 6 Brian Bielinski 2007-01-22 14:11:45 EST
I do not currently run a 64bit version of FC6, although I can confirm that the
bug does NOT exist in the 32 bit version (even using the old driver).  I will
close this bug (although that buggy driver is still in the unixODBC rpm and
should probably be removed...)

Many thanks,

Brian

Note You need to log in before you can comment on or make changes to this bug.