Some fixes for overflows through "INTERBASE"* environment variables (CAN-2003-0281); not sure if it's complete - overflows may still exist in further usage of buffers initialized from env vars truncard to MAXPATHLEN... --- firebird-1.0.2.908/wal/wal.c.orig 2000-08-03 22:54:30.000000000 +0200 +++ firebird-1.0.2.908/wal/wal.c 2003-10-29 21:12:08.203320272 +0100 @@ -1142,7 +1142,7 @@ * **************************************/ WALS WAL_segment; -TEXT image_name [256]; +TEXT image_name [MAXPATHLEN]; int pid; gds__prefix (image_name, WAL_WRITER); --- firebird-1.0.2.908/utilities/srvrmgr.c.orig 2003-10-29 21:13:23.238913128 +0100 +++ firebird-1.0.2.908/utilities/srvrmgr.c 2003-10-29 21:13:11.768656872 +0100 @@ -446,7 +446,7 @@ * **************************************/ TEXT msg [MSG_LEN]; -TEXT path[PATHLEN]; +TEXT path[MAXPATHLEN]; TEXT *argv[4]; int retry; pid_t pid, ret_value; @@ -572,7 +572,7 @@ * **************************************/ STATUS status[STATUS_BUFLEN]; -TEXT path[PATHLEN]; +TEXT path[MAXPATHLEN]; TEXT db_name[128]; isc_db_handle db_handle = 0L; BOOLEAN ok; --- firebird-1.0.2.908/remote/inet.c.orig 2002-08-22 07:45:42.000000000 +0200 +++ firebird-1.0.2.908/remote/inet.c 2003-10-29 21:10:52.813781224 +0100 @@ -2373,7 +2373,7 @@ * **************************************/ IB_FILE *proxy; -TEXT *p, proxy_file [64], source_user [64], source_host [MAXHOSTLEN], +TEXT *p, proxy_file [MAXPATHLEN], source_user [64], source_host [MAXHOSTLEN], target_user [64], line [128]; int c; BOOLEAN result; --- firebird-1.0.2.908/lock/lock.c.orig 2002-04-11 03:04:25.000000000 +0200 +++ firebird-1.0.2.908/lock/lock.c 2003-10-29 21:09:57.632170104 +0100 @@ -2239,8 +2239,8 @@ /* The lock file has some problem - copy it for later analysis */ { TEXT *lock_file; - TEXT buffer [256]; - TEXT buffer2 [256]; + TEXT buffer [MAXPATHLEN*2 + 256]; + TEXT buffer2 [MAXPATHLEN + 256]; TEXT hostname [64]; gds__prefix_lock (buffer, LOCK_FILE); lock_file = buffer; @@ -3007,7 +3007,7 @@ * Fork lock manager process. * **************************************/ -TEXT string [256]; +TEXT string [MAXPATHLEN]; struct stat stat_buf; int pid; @@ -3280,7 +3280,7 @@ #ifdef WINDOWS_ONLY TEXT *buffer = (TEXT*) gds__alloc ((SLONG) BUFFER_MEDIUM); #else -TEXT buffer [256]; +TEXT buffer [MAXPATHLEN]; #endif #endif --- firebird-1.0.2.908/jrd/gds.c.orig 2002-10-13 07:39:08.000000000 +0200 +++ firebird-1.0.2.908/jrd/gds.c 2003-10-29 20:43:18.367295320 +0100 @@ -2710,8 +2710,9 @@ ib_prefix = getenv("ProgramFiles"); if (ib_prefix) { - strcpy(ib_prefix_val, ib_prefix); - strcat(ib_prefix_val, "\\Borland\\Interbase\\"); + ib_prefix_val[MAXPATHLEN - 1] = 0; + strncpy(ib_prefix_val, ib_prefix, MAXPATHLEN - 1); + strncat(ib_prefix_val, "\\Borland\\Interbase\\", MAXPATHLEN - 1 - strlen(ib_prefix)); } else { /* ISC_PREFIX currently defaults to */ /* "C:\Program Files\Borland\InterBase\" */ @@ -2742,16 +2743,28 @@ ib_prefix = ib_prefix_val; } } +/* ugh. string SHOULD be at least MAXPATHLEN long, but we CAN'T assume this */ +/* note: strlen(string)==0 here */ #ifdef mpexl - strcat (string, root); - strcat (string, ib_prefix); + strncat (string, root, MAXPATHLEN - 1); + if(strlen(root) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; + else { + strncat (string, ib_prefix, MAXPATHLEN - 1 - strlen(root)); + if(strlen(root) + strlen(ib_prefix) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; + } #else /* mpexl */ - strcat (string, ib_prefix); + strncat (string, ib_prefix, MAXPATHLEN - 1); + if (strlen(ib_prefix) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; #ifndef NETWARE_386 - if (string [strlen (string) - 1] != '/') + if ((string [strlen (string) - 1] != '/') && (strlen(string) < MAXPATHLEN - 1)) strcat (string, "/"); #endif - strcat (string, root); + if(strlen(string) + strlen(root) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; + strncat (string, root, MAXPATHLEN - 1 - strlen(string)); #endif /* mpexl */ } #endif /* !defined(VMS) */ @@ -2838,20 +2851,33 @@ } else { - strcat (ib_prefix_lock_val, ib_prefix_lock); + ib_prefix_lock_val[MAXPATHLEN - 1] = 0; + strncat (ib_prefix_lock_val, ib_prefix_lock, MAXPATHLEN - 1 - strlen(ib_prefix_lock_val)); ib_prefix_lock = ib_prefix_lock_val; } } +/* ugh. string SHOULD be at least MAXPATHLEN long, but we CAN'T assume this */ +/* note: strlen(string)==0 here */ #ifdef mpexl -strcat (string, root); -strcat (string, ib_prefix_lock); +strncat (string, root, MAXPATHLEN - 1); +if(strlen(root) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; +else { + strncat (string, ib_prefix_lock, MAXPATHLEN - 1 - strlen(root)); + if(strlen(root) + strlen(ib_prefix_lock) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; +} #else -strcat (string, ib_prefix_lock); +strncat (string, ib_prefix_lock, MAXPATHLEN - 1); +if (strlen(ib_prefix) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; #ifndef NETWARE_386 -if (string [strlen (string) - 1] != '/') +if ((string [strlen (string) - 1] != '/') && (strlen(string) < MAXPATHLEN - 1)) strcat (string, "/"); #endif -strcat (string, root); +if(strlen(string) + strlen(root) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; +strncat (string, root, MAXPATHLEN - 1 - strlen(string)); #endif } #endif @@ -2939,21 +2965,34 @@ } else { - strcat (ib_prefix_msg_val, ib_prefix_msg); + ib_prefix_msg_val[MAXPATHLEN - 1] = 0; + strncat (ib_prefix_msg_val, ib_prefix_msg, MAXPATHLEN - 1 - strlen(ib_prefix_msg_val)); ib_prefix_msg = ib_prefix_msg_val; } } +/* ugh. string SHOULD be at least MAXPATHLEN long, but we CAN'T assume this */ +/* note: strlen(string)==0 here */ #ifdef mpexl -strcat (string, root); -strcat (string, ib_prefix_msg); +strncat (string, root, MAXPATHLEN - 1); +if(strlen(root) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; +else { + strncat (string, ib_prefix_msg, MAXPATHLEN - 1 - strlen(root)); + if(strlen(root) + strlen(ib_prefix_msg) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; +} #else -strcat (string, ib_prefix_msg); +strncat (string, ib_prefix_msg, MAXPATHLEN - 1); +if (strlen(ib_prefix) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; #ifndef NETWARE_386 -if (string [strlen (string) - 1] != '/') +if ((string [strlen (string) - 1] != '/') && (strlen(string) < MAXPATHLEN - 1)) strcat (string, "/"); #endif -strcat (string, root); +if(strlen(string) + strlen(root) >= MAXPATHLEN - 1) + string[MAXPATHLEN - 1] = 0; +strncat (string, root, MAXPATHLEN - 1 - strlen(string)); #endif } #endif --- firebird-1.0.2.908/jrd/builtin.c.orig 2000-12-29 14:05:07.000000000 +0100 +++ firebird-1.0.2.908/jrd/builtin.c 2003-10-29 20:56:16.270036128 +0100 @@ -74,7 +74,7 @@ * **************************************/ FN *function; -TEXT *p, temp [256], *ep; +TEXT *p, temp [MAXPATHLEN], *ep; TEXT *modname; /* Strip off any preceeding $INTERBASE path location from the --- firebird-1.0.2.908/jrd/event.c.orig 2002-06-21 20:56:55.000000000 +0200 +++ firebird-1.0.2.908/jrd/event.c 2003-10-29 20:57:01.379178496 +0100 @@ -258,7 +258,7 @@ * exits, otherwise return NULL. * **************************************/ -TEXT *event_file, buffer [256]; +TEXT *event_file, buffer [MAXPATHLEN]; /* If we're already initialized, there's nothing to do */ --- firebird-1.0.2.908/jrd/isc.c.orig 2002-06-21 20:56:55.000000000 +0200 +++ firebird-1.0.2.908/jrd/isc.c 2003-10-29 21:00:27.988769064 +0100 @@ -520,7 +520,7 @@ { IB_FILE *fd; TEXT *p, *q, buf[80]; - TEXT buffer [256]; + TEXT buffer [MAXPATHLEN]; #ifdef SUPERSERVER int n; TEXT dir_name[MAX_PATH_LENGTH]; @@ -724,7 +724,7 @@ IB_FILE *fd = NULL; IPCCFG h; struct cfgtbl *t; -TEXT buffer [256]; +TEXT buffer [MAXPATHLEN]; int ret = 1; if (config_file) --- firebird-1.0.2.908/jrd/isc_cray.c.orig 2000-08-03 22:50:47.000000000 +0200 +++ firebird-1.0.2.908/jrd/isc_cray.c 2003-10-29 21:01:52.928856208 +0100 @@ -654,7 +654,7 @@ **************************************/ SLONG msg [3]; int status, pipes [2]; -TEXT process [64], arg [10]; +TEXT process [MAXPATHLEN], arg [10]; status = kill (pid, signal_number); --- firebird-1.0.2.908/jrd/isc_ipc.c.orig 2002-06-21 20:56:55.000000000 +0200 +++ firebird-1.0.2.908/jrd/isc_ipc.c 2003-10-29 21:02:12.890821528 +0100 @@ -773,7 +773,7 @@ **************************************/ SLONG msg [3]; int status, pipes [2]; -TEXT process [64], arg [10]; +TEXT process [MAXPATHLEN], arg [10]; #ifdef NeXT /* If not a UNIX signal, send to port watcher */ --- firebird-1.0.2.908/jrd/log.c.orig 2000-08-03 22:50:56.000000000 +0200 +++ firebird-1.0.2.908/jrd/log.c 2003-10-29 21:03:49.526130728 +0100 @@ -632,7 +632,7 @@ DBB dbb; LOG log; #ifndef STACK_REDUCTION -SCHAR *log_name, buffer [256]; +SCHAR *log_name, buffer [MAXPATHLEN]; #else SCHAR *log_name, *buffer; #endif /* !STACK_REDUCTION */ @@ -640,7 +640,7 @@ int mask; #ifdef STACK_REDUCTION -buffer = (SCHAR *)gds__alloc ((SLONG)BUFFER_MEDIUM); +buffer = (SCHAR *)gds__alloc ((SLONG)((BUFFER_MEDIUM > MAXPATHLEN) ? BUFFER_MEDIUM : MAXPATHLEN)); if(!buffer) /* NOMEM: */ { error ("can't open log file (out of memory)"); --- firebird-1.0.2.908/jrd/svc.c.orig 2002-10-07 12:49:25.000000000 +0200 +++ firebird-1.0.2.908/jrd/svc.c 2003-10-29 21:07:08.137937144 +0100 @@ -149,7 +149,7 @@ *status++ = (STATUS) ERR_string(svc,strlen(svc)); \ *status++ = isc_arg_end; } -#define ERR_FILE_IN_USE { TEXT buffer[256]; \ +#define ERR_FILE_IN_USE { TEXT buffer[MAXPATHLEN]; \ gds__prefix (buffer, LOCK_HEADER); \ *status++ = isc_file_in_use; \ *status++ = isc_arg_string; \ @@ -849,7 +849,7 @@ * **************************************/ SCHAR item, *items, *end_items, *end; -UCHAR buffer [256], dbbuf [1024]; +UCHAR buffer [MAXPATHLEN /* >=256 */], dbbuf [1024]; USHORT l, length, version, get_flags; STATUS *status; #ifndef WINDOWS_ONLY @@ -1361,7 +1361,7 @@ * **************************************/ SCHAR item, *items, *end_items, *end, *p, *q; -UCHAR buffer [256]; +UCHAR buffer [MAXPATHLEN /* >=256 */]; USHORT l, length, version, get_flags; USHORT num_att = 0; USHORT num_dbs = 0; --- firebird-1.0.2.908/gpre/ftn.c.orig 2002-06-21 20:56:55.000000000 +0200 +++ firebird-1.0.2.908/gpre/ftn.c 2003-10-29 21:01:14.106758064 +0100 @@ -1551,7 +1551,7 @@ TPB tpb; REQ request; BOOLEAN any_extern; -TEXT include_buffer[512]; +TEXT include_buffer[MAXPATHLEN]; #ifndef mpexl ISC_prefix (include_buffer, INCLUDE_FTN_FILE); --- firebird-1.0.2.908/intl/dtest.c.orig 2000-08-03 22:49:04.000000000 +0200 +++ firebird-1.0.2.908/intl/dtest.c 2003-10-29 20:55:40.683446112 +0100 @@ -124,7 +124,7 @@ #ifdef LIKE_JRD { char module[ 200 ]; - char path[ 200 ]; + char path[ MAXPATHLEN ]; char entry[ 200 ]; int t_type; t_type = atoi( vector[ i ] ); --- firebird-1.0.2.908/csv/csi.c.orig 2000-08-03 22:43:03.000000000 +0200 +++ firebird-1.0.2.908/csv/csi.c 2003-10-29 20:53:28.947473024 +0100 @@ -3733,7 +3733,7 @@ * **************************************/ UCHAR output [128], error [128], *p, *q, process_name [16], - pipe_temp [256], pipe_file [256]; + pipe_temp [MAXPATHLEN], pipe_file [256]; USHORT i, len; ULONG status, pid, flags, item; SLONG *privileges, procpriv [2], priority; --- firebird-1.0.2.908/firebird/bellardo/darwin/installpath.c.orig 2001-02-04 05:06:13.000000000 +0100 +++ firebird-1.0.2.908/firebird/bellardo/darwin/installpath.c 2003-10-29 20:55:01.392419256 +0100 @@ -7,7 +7,7 @@ int main() { - char buff[2048]; + char buff[MAXPATHLEN + 10]; int offset; #ifdef VAR_PATH --- firebird-1.0.2.908/porting/qli/help.c.orig 2003-01-04 14:08:01.000000000 +0100 +++ firebird-1.0.2.908/porting/qli/help.c 2003-10-29 20:51:01.799842864 +0100 @@ -201,7 +201,7 @@ **************************************/ NAM *ptr, *end, name; USHORT max_level; -TEXT target [128], **topic, *topics [16]; +TEXT target [MAXPATHLEN /* >=128 */], **topic, *topics [16]; if (!HELP_DB) {