Re: Unbounded %s in sscanf
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-07-03T20:18:54Z
Lists: pgsql-hackers
Attachments
- v3-0003-Fix-bug-in-TOC-file-error-message-printing.patch (application/octet-stream) patch v3-0003
- v3-0002-Fix-sscanf-limit-in-pg_dump.patch (application/octet-stream) patch v3-0002
- v3-0001-Fix-sscanf-limit-in-pg_basebackup.patch (application/octet-stream) patch v3-0001
> On 28 Jun 2021, at 16:45, Daniel Gustafsson <daniel@yesql.se> wrote: > >> On 28 Jun 2021, at 16:02, Tom Lane <tgl@sss.pgh.pa.us> wrote: > >> Ugh. Shouldn't we instead modify the format to read not more than >> two characters? Even if this is safe on non-malicious input, it >> doesn't seem like good style. > > No disagreement, I was only basing it on what is in the tree. I would propose > that we change the sscanf in _LoadBlobs() too though to eliminate all such > callsites, even though that one is even safer. I'll prepare a patch once more > caffeine has been ingested. Returning to this, attached is a patchset which amends the two sscanf() callsites with their respective buffersizes for %s format parsing. In pg_dump we need to inject the MAXPGPATH limit with the preprocessor and thus the buffer needs to be increased by one to account for the terminator (which is yet more hygiene coding since the fname buffer is now larger than the input buffer). While in here, I noticed that the fname variable is shadowed in the loop parsing the blobs TOC which yields a broken error message on parse errors. The attached 0003 fixes that. -- Daniel Gustafsson https://vmware.com/
Commits
-
Fix bug in TOC file error message printing
- ef1f15819a38 9.6.24 landed
- e788883de715 12.9 landed
- 998d060f3db7 15.0 landed
- 687fe8a9d7a6 13.5 landed
- 4fda03b671a6 10.19 landed
- 3e2f32b01d3b 14.1 landed
- 038892c81018 11.14 landed
-
Fix sscanf limits in pg_basebackup and pg_dump
- d3a4c1eb3d21 13.5 landed
- 931f3926a9f6 11.14 landed
- 57bf8f7b75ec 12.9 landed
- 1d7641d51a51 15.0 landed
- 121be6a665aa 14.1 landed
-
Fix sscanf limits in pg_dump
- abdf81a20ba2 10.19 landed
- 6b96aafc67ac 9.6.24 landed