bsddb buffer overflow
Andrew Kuchling
akuchlin at mems-exchange.org
Fri Oct 27 11:09:19 EDT 2000
lg at rgz.ru writes:
> #0 0x2828a61e in memcpy () from /usr/lib/libc_r.so.4
> (gdb) where
> #0 0x2828a61e in memcpy () from /usr/lib/libc_r.so.4
> #1 0x81cfbec in ?? ()
> #2 0x805b809 in call_builtin (func=0x81d8ba0, arg=0x81a60ac, kw=0x0)
> at ceval.c:2650
Hmmm... the function of interest would be the one given as ??.
Otherwise, it's not clear that the segfault is happening inside the
bsddbmodule.
Assuming it is, and there are two calls to memcpy() inside the keys()
function, so it's plausible, I can see one possible problem. The code
used is:
if (status == 0) {
if (krec.size > sizeof(buf)) data = malloc(krec.size);
else data = buf;
memcpy(data,krec.data,krec.size);
}
The return value of malloc() isn't checked, so if it's NULL, the
module will blithely attempts to memcpy() to NULL. Perhaps you're
really running out of memory, or perhaps krec.size is some bogusly
large value. Your best course is probably to use your debugger some
more, and step through the bsddb_keys() function to see what's
happening.
--amk
More information about the Python-list
mailing list