[jira] [Updated] (IGNITE-16279) CPP: ODBC String with fixed length is treated as SQL_NTS, causes heap buffer overflow

Ivan Daschinsky (Jira) Thu, 13 Jan 2022 01:49:06 -0800


     [ 
https://issues.apache.org/jira/browse/IGNITE-16279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ivan Daschinsky updated IGNITE-16279:
-------------------------------------
    Description: 
Platform: ubuntu 20.04, UnixODBC 2.3.7
{code}
Index: modules/platforms/cpp/odbc/src/utility.cpp
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/modules/platforms/cpp/odbc/src/utility.cpp 
b/modules/platforms/cpp/odbc/src/utility.cpp
--- a/modules/platforms/cpp/odbc/src/utility.cpp        (revision 
e18bbbedfa23f4a4c7bcd1f4c48fa881411e5653)
+++ b/modules/platforms/cpp/odbc/src/utility.cpp        (date 1641994995236)
@@ -136,8 +136,10 @@
             if (!sqlStr || !sqlStrLen)
                 return res;
 
-            if (sqlStrLen == SQL_NTS)
+            if (sqlStrLen == SQL_NTS) {
+                std::cout << "Hopla " << sqlStrC << std::endl; // Here we go, 
unexpected.
                 res.assign(sqlStrC);
+            }
             else if (sqlStrLen > 0)
                 res.assign(sqlStrC, sqlStrLen);
 
{code}

Run {{TestStingParamNullLen}} under ASan and get report: 
https://gist.github.com/ivandasch/00fc80c31cb48022eed81a72ff3c4fc6

To run under sanitizer:
1. Add flags
{code}
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address 
-fno-omit-frame-pointer -fno-sanitize-recover -g")
{code}
2. Run  
{code}
✗ JAVA_HOME=/opt/jdk/jdk1.8.0_281 
ASAN_OPTIONS=handle_segv=0:detect_leaks=0:symbolize=1 
IGNITE_NATIVE_TEST_ODBC_CONFIG_PATH=/home/ivandasch/Job/ignite-cpp/modules/platforms/cpp/odbc-test/config
  ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./odbc-test/ignite-odbc-tests 
-t '*/TestStingParamNullLen'

{code}

P.S.
Seems that this is problem in test, in test we pass not NULL-terminated string 
and forget to add StrLen param at the end

Current code 
{code}
   ret = SQLBindParameter(stmt, 1, SQL_PARAM_INPUT, SQL_C_CHAR, SQL_VARCHAR,
       paramData.size(), 0, &paramData[0], paramLen, 0);
{code}

Should be
{code}
ret = SQLBindParameter(stmt, 1, SQL_PARAM_INPUT, SQL_C_CHAR, SQL_VARCHAR,
       paramData.size(), 0, &paramData[0], paramLen, &paramLen);
{code}


  was:
Platform: ubuntu 20.04, UnixODBC 2.3.7
{code}
Index: modules/platforms/cpp/odbc/src/utility.cpp
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/modules/platforms/cpp/odbc/src/utility.cpp 
b/modules/platforms/cpp/odbc/src/utility.cpp
--- a/modules/platforms/cpp/odbc/src/utility.cpp        (revision 
e18bbbedfa23f4a4c7bcd1f4c48fa881411e5653)
+++ b/modules/platforms/cpp/odbc/src/utility.cpp        (date 1641994995236)
@@ -136,8 +136,10 @@
             if (!sqlStr || !sqlStrLen)
                 return res;
 
-            if (sqlStrLen == SQL_NTS)
+            if (sqlStrLen == SQL_NTS) {
+                std::cout << "Hopla " << sqlStrC << std::endl; // Here we go, 
unexpected.
                 res.assign(sqlStrC);
+            }
             else if (sqlStrLen > 0)
                 res.assign(sqlStrC, sqlStrLen);
 
{code}

Run {{TestStingParamNullLen}} under ASan and get report: 
https://gist.github.com/ivandasch/00fc80c31cb48022eed81a72ff3c4fc6

To run under sanitizer:
1. Add flags
{code}
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address 
-fno-omit-frame-pointer -fno-sanitize-recover -g")
{code}
2. Run  
{code}
✗ JAVA_HOME=/opt/jdk/jdk1.8.0_281 
ASAN_OPTIONS=handle_segv=0:detect_leaks=0:symbolize=1 
IGNITE_NATIVE_TEST_ODBC_CONFIG_PATH=/home/ivandasch/Job/ignite-cpp/modules/platforms/cpp/odbc-test/config
  ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./odbc-test/ignite-odbc-tests 
-t '*/TestStingParamNullLen'

{code}



> CPP: ODBC String with fixed length is treated as SQL_NTS, causes heap buffer 
> overflow
> -------------------------------------------------------------------------------------
>
>                 Key: IGNITE-16279
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16279
>             Project: Ignite
>          Issue Type: Bug
>          Components: odbc, platforms
>    Affects Versions: 2.12
>            Reporter: Ivan Daschinsky
>            Priority: Major
>
> Platform: ubuntu 20.04, UnixODBC 2.3.7
> {code}
> Index: modules/platforms/cpp/odbc/src/utility.cpp
> IDEA additional info:
> Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
> <+>UTF-8
> ===================================================================
> diff --git a/modules/platforms/cpp/odbc/src/utility.cpp 
> b/modules/platforms/cpp/odbc/src/utility.cpp
> --- a/modules/platforms/cpp/odbc/src/utility.cpp      (revision 
> e18bbbedfa23f4a4c7bcd1f4c48fa881411e5653)
> +++ b/modules/platforms/cpp/odbc/src/utility.cpp      (date 1641994995236)
> @@ -136,8 +136,10 @@
>              if (!sqlStr || !sqlStrLen)
>                  return res;
>  
> -            if (sqlStrLen == SQL_NTS)
> +            if (sqlStrLen == SQL_NTS) {
> +                std::cout << "Hopla " << sqlStrC << std::endl; // Here we 
> go, unexpected.
>                  res.assign(sqlStrC);
> +            }
>              else if (sqlStrLen > 0)
>                  res.assign(sqlStrC, sqlStrLen);
>  
> {code}
> Run {{TestStingParamNullLen}} under ASan and get report: 
> https://gist.github.com/ivandasch/00fc80c31cb48022eed81a72ff3c4fc6
> To run under sanitizer:
> 1. Add flags
> {code}
> set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address 
> -fno-omit-frame-pointer -fno-sanitize-recover -g")
> {code}
> 2. Run  
> {code}
> ✗ JAVA_HOME=/opt/jdk/jdk1.8.0_281 
> ASAN_OPTIONS=handle_segv=0:detect_leaks=0:symbolize=1 
> IGNITE_NATIVE_TEST_ODBC_CONFIG_PATH=/home/ivandasch/Job/ignite-cpp/modules/platforms/cpp/odbc-test/config
>   ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./odbc-test/ignite-odbc-tests 
> -t '*/TestStingParamNullLen'
> {code}
> P.S.
> Seems that this is problem in test, in test we pass not NULL-terminated 
> string and forget to add StrLen param at the end
> Current code 
> {code}
>    ret = SQLBindParameter(stmt, 1, SQL_PARAM_INPUT, SQL_C_CHAR, SQL_VARCHAR,
>        paramData.size(), 0, &paramData[0], paramLen, 0);
> {code}
> Should be
> {code}
> ret = SQLBindParameter(stmt, 1, SQL_PARAM_INPUT, SQL_C_CHAR, SQL_VARCHAR,
>        paramData.size(), 0, &paramData[0], paramLen, &paramLen);
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (IGNITE-16279) CPP: ODBC String with fixed length is treated as SQL_NTS, causes heap buffer overflow

Reply via email to