From 8d51da5033f82c668db6b07f1cbec8269e4cd2bc Mon Sep 17 00:00:00 2001 From: Dan Scott <dscott@laurentian.ca> Date: Fri, 11 Jan 2013 01:32:13 -0500 Subject: [PATCH] Protect against overly long savepoint names Per http://postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS, the maximum identifier length works out to being 63 bytes (+1 for the null terminator), so to avoid potential memory pressure by a 10GB string somehow being passed in as the savepoint name, malloc no more than 64 bytes and copy no more than 63 bytes from the incoming name to the escaped name. Signed-off-by: Dan Scott <dscott@laurentian.ca> Signed-off-by: Galen Charlton <gmc@esilibrary.com> --- Open-ILS/src/c-apps/oils_sql.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c index 08a390b759..d27c27274a 100644 --- a/Open-ILS/src/c-apps/oils_sql.c +++ b/Open-ILS/src/c-apps/oils_sql.c @@ -7288,11 +7288,25 @@ int writeAuditInfo( osrfMethodContext* ctx, const char* user_id, const char* ws_ static char* _sanitize_savepoint_name( const char* sp ) { const char* safe_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345789_"; - char* safeSpName = safe_malloc( strlen( sp ) + 1); + + // PostgreSQL uses NAMEDATALEN-1 as a max length for identifiers, + // and the default value of NAMEDATALEN is 64; that should be long enough + // for our purposes, and it's unlikely that anyone is going to recompile + // PostgreSQL to have a smaller value, so cap the identifier name + // accordingly to avoid the remote chance that someone manages to pass in a + // 12GB savepoint name + const int MAX_LITERAL_NAMELEN = 63; + int len = 0; + len = strlen( sp ); + if (len > MAX_LITERAL_NAMELEN) { + len = MAX_LITERAL_NAMELEN; + } + + char* safeSpName = safe_malloc( len + 1 ); int i = 0; int j; char* found; - for (j = 0; j < strlen( sp ); j++) { + for (j = 0; j < len; j++) { found = strchr(safe_chars, sp[j]); if (found) { safeSpName[ i++ ] = found[0]; -- 2.11.0