[SR-Dev] git:janakj/postgres: - bugfix for (small) potential buffer overflow in BLOB escaping

Jan Janak jan at iptel.org
Wed Feb 18 01:26:19 CET 2009


Module: sip-router
Branch: janakj/postgres
Commit: 5bea0d904ef95a2813c10c7d77f1d1a03959f29d
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5bea0d904ef95a2813c10c7d77f1d1a03959f29d

Author: Henning Westerholt <henning.westerholt at 1und1.de>
Committer: Henning Westerholt <henning.westerholt at 1und1.de>
Date:   Mon Feb 11 14:40:27 2008 +0000

- bugfix for (small) potential buffer overflow in BLOB escaping


git-svn-id: https://openser.svn.sourceforge.net/svnroot/openser/trunk@3680 689a6050-402a-0410-94f2-e92a70836424

---

 modules/db_postgres/km_db_val.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/modules/db_postgres/km_db_val.c b/modules/db_postgres/km_db_val.c
index ee0e45c..c5b914b 100644
--- a/modules/db_postgres/km_db_val.c
+++ b/modules/db_postgres/km_db_val.c
@@ -263,6 +263,7 @@ int db_postgres_val2str(const db_con_t* _con, const db_val_t* _v, char* _s, int*
 
 	case DB_BLOB:
 		l = VAL_BLOB(_v).len;
+		/* this estimation is not always correct, thus we need to check later again */
 		if (*_len < (l * 2 + 3)) {
 			LM_ERR("destination buffer too short for blob\n");
 			return -7;
@@ -275,6 +276,10 @@ int db_postgres_val2str(const db_con_t* _con, const db_val_t* _v, char* _s, int*
 				LM_ERR("PQescapeBytea failed\n");
 				return -7;
 			}
+			if (tmp_len > *_len) {
+				LM_ERR("escaped result too long\n");
+				return -7;
+			}
 			memcpy(_s, tmp_s, tmp_len);
 			PQfreemem(tmp_s);
 			tmp_len = strlen(_s);




More information about the sr-dev mailing list