centos 6
buffer weakness #33

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

psqlodbc-08.04.0200/info.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 buffer weakness.

 				 * 2000-03-21
				 */
				if (conn->schema_support)
				{
					strncpy_null(tables_query,
						"select ta.attname, ia.attnum, ic.relname, n.nspname, tc.relname"
						" from pg_catalog.pg_attribute ta,"
						" pg_catalog.pg_attribute ia, pg_catalog.pg_class tc,"
						" pg_catalog.pg_index i, pg_catalog.pg_namespace n"
						", pg_catalog.pg_class ic"
						, sizeof(tables_query));
					qsize = strlen(tables_query);
					tsize = sizeof(tables_query) - qsize;
					tbqry = tables_query + qsize;
					if (0 == reloid)
						snprintf(tbqry, tsize,
						" where tc.relname %s'%s'"
						" AND n.nspname %s'%s'"
						, eq_string, escTableName, eq_string, pkscm);
					else
						snprintf(tbqry, tsize,
						" where tc.oid = " FORMAT_UINT4
						, reloid);

					strncat(tables_query,
						" AND tc.oid = i.indrelid"
						" AND n.oid = tc.relnamespace"
						" AND i.indisprimary = 't'"
						" AND ia.attrelid = i.indexrelid"
						" AND ta.attrelid = i.indrelid"
						" AND ta.attnum = i.indkey[ia.attnum-1]"
						" AND (NOT ta.attisdropped)"
						" AND (NOT ia.attisdropped)"
						" AND ic.oid = i.indexrelid"
						" order by ia.attnum"
						, sizeof(tables_query));
				}
				else
				{
					strncpy_null(tables_query, 
						"select ta.attname, ia.attnum, ic.relname, NULL, tc.relname"
						" from pg_attribute ta, pg_attribute ia, pg_class tc, pg_index i, pg_class ic"
						, sizeof(tables_query));
					qsize = strlen(tables_query);
					tsize = sizeof(tables_query) - qsize;
					tbqry = tables_query + qsize;
					if (0 == reloid)
						snprintf(tbqry, tsize,
						" where tc.relname %s'%s'"
						, eq_string, escTableName); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.