From 8d51da5033f82c668db6b07f1cbec8269e4cd2bc Mon Sep 17 00:00:00 2001
From: Dan Scott <dscott@laurentian.ca>
Date: Fri, 11 Jan 2013 01:32:13 -0500
Subject: [PATCH] Protect against overly long savepoint names

Per http://postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS,
the maximum identifier length works out to being 63 bytes (+1 for the
null terminator), so to avoid potential memory pressure by a 10GB string
somehow being passed in as the savepoint name, malloc no more than 64
bytes and copy no more than 63 bytes from the incoming name to the
escaped name.

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 Open-ILS/src/c-apps/oils_sql.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index 08a390b759..d27c27274a 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -7288,11 +7288,25 @@ int writeAuditInfo( osrfMethodContext* ctx, const char* user_id, const char* ws_
 static char* _sanitize_savepoint_name( const char* sp ) {
 
 	const char* safe_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345789_";
-	char* safeSpName = safe_malloc( strlen( sp ) + 1);
+
+	// PostgreSQL uses NAMEDATALEN-1 as a max length for identifiers,
+	// and the default value of NAMEDATALEN is 64; that should be long enough
+	// for our purposes, and it's unlikely that anyone is going to recompile
+	// PostgreSQL to have a smaller value, so cap the identifier name
+	// accordingly to avoid the remote chance that someone manages to pass in a
+	// 12GB savepoint name
+	const int MAX_LITERAL_NAMELEN = 63;
+	int len = 0;
+	len = strlen( sp );
+	if (len > MAX_LITERAL_NAMELEN) {
+		len = MAX_LITERAL_NAMELEN;
+	}
+
+	char* safeSpName = safe_malloc( len + 1 );
 	int i = 0;
 	int j;
 	char* found;
-	for (j = 0; j < strlen( sp ); j++) {
+	for (j = 0; j < len; j++) {
 	found = strchr(safe_chars, sp[j]);
 		if (found) {
 			safeSpName[ i++ ] = found[0];
-- 
2.11.0