Overflow in SQLGetInfo.c:515

[jcnelson515]

*string_length = strlen(info_value); line 515 in SQLGetInfo.c

*string_length is SQLSMALLINT
strlen returns size_t

found using "-fsanitize=address" compiler/linker option

The output from the sanitize is below in case it is useful:

==96547==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b4f6d328 at pc 0x00010c264b7d bp 0x7ff7b4f6d120 sp 0x7ff7b4f6c8e8
READ of size 9 at 0x7ff7b4f6d328 thread T0
#0 0x10c264b7c in strlen+0x80c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x17b7c)
#1 0x10bd19107 in SQLGetInfoInternal SQLGetInfo.c:515
#2 0x10afd1aec in std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator> iscqd::connection::get_info_trunc<std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator>, 0>(unsigned short) const connection.h:395
#3 0x10afd0db2 in (anonymous namespace)::ConnectionIT_get_info_trunc_dp410171_Test::TestBody() ConnectionIT.cpp:254
#4 0x10b1d79cb in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) gtest.cc:2469
#5 0x10b1d76e6 in testing::Test::Run() gtest.cc:2508
#6 0x10b1dbf65 in testing::TestInfo::Run() gtest.cc:2684
#7 0x10b1de106 in testing::TestSuite::Run() gtest.cc:2816
#8 0x10b20fd26 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:5338
#9 0x10b20e755 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::)(), char const) gtest.cc:2469
#10 0x10b20e4ce in testing::UnitTest::Run() gtest.cc:4925
#11 0x10b259b7d in main gtest_main.cc:45
#12 0x7ff81374d344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

Address 0x7ff7b4f6d328 is located in stack of thread T0 at offset 136 in frame
#0 0x10afd190f in std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator> iscqd::connection::get_info_trunc<std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator>, 0>(unsigned short) const connection.h:387

This frame has 16 object(s):
[32, 40) 'ref.tmp.i.i290'
[64, 72) 'ref.tmp.i.i289'
[96, 104) 'ref.tmp.i.i'
[128, 136) 'InfoValue1' (line 388) <== Memory access at offset 136 overflows this variable
[160, 162) 'StringLength' (line 391)
[176, 200) 'state' (line 392)
[240, 264) 'records' (line 400)
[304, 328) 'ref.tmp' (line 401)
[368, 392) 'ref.tmp35' (line 415)
[432, 456) 'agg.tmp'
[496, 520) 'agg.tmp66'
[560, 584) 'agg.tmp85'
[624, 648) 'agg.tmp104'
[688, 4784) 'InfoValue2' (line 446)
[4912, 4914) 'StringLength2' (line 447)
[4928, 4952) 'ref.tmp138' (line 462)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x17b7c) in strlen+0x80c
Shadow bytes around the buggy address:
0x7ff7b4f6d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b4f6d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b4f6d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b4f6d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b4f6d280: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f2 f2
=>0x7ff7b4f6d300: f8 f2 f2 f2 00[f2]f2 f2 02 f2 00 00 00 f2 f2 f2
0x7ff7b4f6d380: f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2
0x7ff7b4f6d400: f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
0x7ff7b4f6d480: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
0x7ff7b4f6d500: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
0x7ff7b4f6d580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==96547==ABORTING
make: *** [check] Abort trap: 6

[lurcher]

Hi, Thanks for that. You don't mention the code that is calling SQLGetInfo. But AFAIKS, the string_length argument is defined by Microsoft as a SQLSMALLINT *

SQLRETURN SQLGetInfo(
SQLHDBC ConnectionHandle,
SQLUSMALLINT InfoType,
SQLPOINTER InfoValuePtr,
SQLSMALLINT BufferLength,
SQLSMALLINT * StringLengthPtr);

There is some leeway

_StringLengthPtr
[Output] Pointer to a buffer in which to return the total number of bytes (excluding the null-termination character for character data) available to return in *InfoValuePtr.

For character data, if the number of bytes available to return is greater than or equal to BufferLength, the information in *InfoValuePtr is truncated to BufferLength bytes minus the length of a null-termination character and is null-terminated by the driver.

For all other types of data, the value of BufferLength is ignored and the driver assumes the size of *InfoValuePtr is SQLUSMALLINT or SQLUINTEGER, depending on the InfoType._

https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlgetinfo-function?view=sql-server-ver16