Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

INF_* functions may invalidate the whole output buffer with isc_info_truncated at the beginning due to boundary condition. [CORE2313] #2737

Closed
firebird-issue-importer opened this issue Feb 9, 2009 · 6 comments

Comments

@firebird-issue-importer
Copy link

@firebird-issue-importer firebird-issue-importer commented Feb 9, 2009

Submitted by: Claudio Valderrama C. (robocop)

Assigned to: Claudio Valderrama C. (robocop)

In FB1, I noticed that INF_put_item may put the requested item but without leaving any space for isc_info_end and thus returning a malformed buffer to the user, that may eventually crash while finding the end of the binary string. Hence, I made INF_put_item check for one byte more of space before writing, otherwise putting isc_info_truncated and nothing more. This change avoided cluttering the code in the INF_* functions with checks and it worked well in FB1.0, FB1.5 and FB2.0.
However, in FB2.1, Vlad added isc_info_length as an initial item to inform the user of the output's total length. For this task, once the buffer is filled, he shifts it to make room for 7 bytes at the beginning and calls INF_put_item. However, this function is unaware that it's inserting (isc_info_end is already stored) and if only 7 bytes are available in the buffer, it will fail, writing isc_info_truncated at the very beginning, effectively invalidating all the information stored in the output buffer. This is a boundary case and didn't find it in practice but by reading the code. The affected functions are those where Vlad made the enhancement: INF_blob_info, INF_request_info and INF_transaction_info. INF_database_info isn't affected because it was left unchanged by Vlad.

Commits: 05feaac 5a75b12

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Feb 9, 2009

Modified by: Claudio Valderrama C. (robocop)

assignee: Claudio Valderrama C. [ robocop ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Feb 9, 2009

Commented by: Claudio Valderrama C. (robocop)

SVC_query2 is affected as well. This means the call to get information from a service may exhibit the same anomalous behavior.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Feb 12, 2009

Modified by: Claudio Valderrama C. (robocop)

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.5 Beta 1 [ 10251 ]

Fix Version: 2.1.3 [ 10302 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 8, 2009

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 18, 2016

Modified by: @pavel-zotov

QA Status: No test

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Aug 22, 2016

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test => Cannot be tested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment