Microsoft ODBC bug
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jul 2 19:20:31 CEST 2019
> On 2 Jul 2019, at 13:16, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>
>> On 2 Jul 2019, at 12:21, Dom Latter <freeradius-users at latter.org> wrote:
>>
>>
>>
>> On 02/07/2019 16:10, Alan DeKok wrote:
>>> On Jul 2, 2019, at 12:18 PM, Dom Latter <freeradius-users at latter.org>
>>> wrote:
>>>> And again, with PHP, "SELECT 123456789" works fine but a large number gets an error from the ODBC driver.
>>>> <snip>
>>> That's all well and good, but what should *we* be doing differently?
>>
>> Well, if I knew that...
>>
>>> We're not Microsoft experts, or experts in ODBC. The ODBC layer was
>>> contributed by someone years ago, and we've maintained it since then.
>>> It mostly works, but new features require people who can delve into
>>> it and fix things.
>>
>> And that is what I am trying to do. I am looking at the following
>> in rlm_sql_unixodbc.c
>>
>> /* Executing query */
>> {
>> SQLCHAR *odbc_query;
>>
>> memcpy(&odbc_query, &query, sizeof(odbc_query));
>> err_handle = SQLExecDirect(conn->stmt, odbc_query, strlen(query));
>> }
>>
>> Is that a safe memcpy? It's a long time since I programmed in C...
>
> It's likely copying a pointer from query to odbc_query to defeat const checks, because SQLExecDirect should likely take a const (read only) query string pointer, and doesn't.
>
> So yes... It's fine.
If you wanted to double check what was being passed, either break at that line in a debugger, or add:
ERROR("Query executed: %s", (char *)odbc_query);
somewhere after the memcpy, and it'll print out the query string in red.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list