Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

INF_* functions may invalidate the whole output buffer with isc_info_truncated at the beginning due to boundary condition. [CORE2313] #2737

Closed
firebird-automations opened this issue Feb 9, 2009 · 6 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: Claudio Valderrama C. (robocop)

Assigned to: Claudio Valderrama C. (robocop)

In FB1, I noticed that INF_put_item may put the requested item but without leaving any space for isc_info_end and thus returning a malformed buffer to the user, that may eventually crash while finding the end of the binary string. Hence, I made INF_put_item check for one byte more of space before writing, otherwise putting isc_info_truncated and nothing more. This change avoided cluttering the code in the INF_* functions with checks and it worked well in FB1.0, FB1.5 and FB2.0.
However, in FB2.1, Vlad added isc_info_length as an initial item to inform the user of the output's total length. For this task, once the buffer is filled, he shifts it to make room for 7 bytes at the beginning and calls INF_put_item. However, this function is unaware that it's inserting (isc_info_end is already stored) and if only 7 bytes are available in the buffer, it will fail, writing isc_info_truncated at the very beginning, effectively invalidating all the information stored in the output buffer. This is a boundary case and didn't find it in practice but by reading the code. The affected functions are those where Vlad made the enhancement: INF_blob_info, INF_request_info and INF_transaction_info. INF_database_info isn't affected because it was left unchanged by Vlad.

Commits: 05feaac 5a75b12

@firebird-automations
Copy link
Collaborator Author

Modified by: Claudio Valderrama C. (robocop)

assignee: Claudio Valderrama C. [ robocop ]

@firebird-automations
Copy link
Collaborator Author

Commented by: Claudio Valderrama C. (robocop)

SVC_query2 is affected as well. This means the call to get information from a service may exhibit the same anomalous behavior.

@firebird-automations
Copy link
Collaborator Author

Modified by: Claudio Valderrama C. (robocop)

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.5 Beta 1 [ 10251 ]

Fix Version: 2.1.3 [ 10302 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

QA Status: No test

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test => Cannot be tested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment