[unixODBC-dev] Possible buffer overflow in SQLConnect

ZIGLIO, Frediano, VF-IT Frediano.Ziglio at vodafone.com
Fri Sep 10 10:03:27 BST 2004


I'm doing debug of FreeTDS ODBC driver...
In DriverManager/SQLConnect.c (2.2.10 version) 

...
static struct lib_count *lib_list = NULL;
static struct lib_count single_lib_count;
static char single_lib_name[ 128 ];
...
            if ( lib_list == NULL )
            {
                    list = &single_lib_count;
                    list -> next = lib_list;
                    lib_list = list;
                    list -> count = 1;
                    list -> lib_name = single_lib_name;
                    strcpy( single_lib_name, libname );
                    list -> handle = hand;
            }
...

however libname it's limited to INI_MAX_PROPERTY_VALUE characters (1000)
so strcpy can lead to a buffer overflow. An easy fix it's

...
            if ( lib_list == NULL && strlen(libname) <
sizeof(single_lib_name))
            {
...

freddy77




More information about the unixODBC-dev mailing list