[#CORE-1756] AV in isc_start_transaction (isc_start_multiple) - bad TEB

Firebird Core

AV in isc_start_transaction (isc_start_multiple) - bad TEB

Created: 21/Feb/08 07:00 AM Updated: 12/Nov/09 04:09 PM

Component/s:

API / Client Library

Affects Version/s:

2.0.3, 1.5.5, 2.1 RC1

Fix Version/s:

2.5 Alpha 1

Time Tracking:

Not Specified

Planning Status:

Unspecified

Description

« Hide

AV samples

isc_start_transaction(status_vector, &valid_tr_handle, 1, &valid_db_handle, 32000 , NULL)

isc_start_transaction(status_vector, &valid_tr_handle, 1, &valid_db_handle, -1 , NULL)

isc_start_transaction(status_vector, &valid_tr_handle, 1, &valid_db_handle, -1 , valid_pointer_to_tpb)

I think, need write code like

if(tpb_length<0)
{
  // ERROR
}

if(tpb_length!=0 && tpb==NULL)
{
  // ERROR
}

All

Comments

Work Log

Change History

Version Control

Subversion Commits

Sort Order:

[ Permalink | « Hide ]

Kovalenko Dmitry added a comment - 26/Feb/08 11:08 AM

why.cpp ------------

ISC_STATUS API_ROUTINE GDS_START_MULTIPLE( ... )
{
// ....

for (....)
{
  if(vector->teb_tpb_length<0)
  {
   Firebird::status_exception::raise(isc_bad_tpb_form,isc_arg_end);
  }

  if(vector->teb_tpb==NULL && vector->teb_tpb_length>0)
  {
   Firebird::status_exception::raise(isc_bad_tpb_form,isc_arg_end);
  }

  // ....
}//for

// ....
}// GDS_START_MULTIPLE

-----
Additional proposal: change the type of TEB::teb_tpb to const UCHAR*

Thanks

[ Permalink | « Hide ]

Kovalenko Dmitry added a comment - 26/Feb/08 02:34 PM

Also:

if(vector==NULL)
{
Firebird::status_exception::raise(isc_bad_trans_handle,/* Do we need new error code here ? */ isc_arg_end);
}

[ Permalink | « Hide ]

Alexander Peshkov added a comment - 29/Feb/08 11:47 AM

Appropriate tests are added.
Cause none of AVs can be used for remote attack, no use backporting.