none
has the RAISERROR buffer problem been fixed in SS 2008 R2 RRS feed

  • Question

  • We have been working around the RAISERROR problem (I think that it is the result of a filter in the network somewhere) in SS 2008 R2. There are many threads about this. One of them pointed me to a bulletin that implies the original RAISERROR buffer overflow problem was "fixed" in SS 2000 SP2 (it is shown as not vulnerable).

    The problem showed up suddenly here about a year and a half ago, presumable due to a new filter being added by network security. Can't find anyone there to talk to about it. Maybe they heard about the problem re-appearing in SS 2008 R2.

    Does anyone have any info on that?

    Friday, March 8, 2013 4:29 PM

Answers

  • The only thing I could find was this

    http://technet.microsoft.com/en-us/security/bulletin/ms01-060

    which was fixed in SQL 2000 SP2, 11 years ago.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Monday, March 11, 2013 1:27 PM
  • If your network people want solid proof for that the issue might not have resurfaced you may be banging your head against the wall. The whole thing is silly anyway, since you can log in directly on the server, and inject things into RAISERROR if it would be that bad.

    The filter is of course meaningless - even if you would happen to have SQL 2000 SP2, since RAISERROR is required to create your stored procedures. If the network people don't understand their folly, talk with your manager and tell them you cannot work because of this, and then your manager has to talk to their manager and so on.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Monday, March 11, 2013 10:46 PM

All replies

  • Could you elaborate on exactly what problem you are seeing?

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, March 8, 2013 4:32 PM
  • It is far more likely that the whoever made that filter was confused.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Friday, March 8, 2013 10:47 PM
  • The problem we are seeing is that there appears to be a filter in the network somewhere that blocks the completion of a create procedure execution if RAISERROR shows up anywhere, including in comments. I think Erland is correct, but need something solid that shows the buffer overflow problem is corrected in 2008 R2. Then I can go to the network people and get the filter removed.

    Note that after a procedure is created with RAISERROR in place, usually by loggin into the server itself, the procedure runs just fine. This is a development issue.

    Monday, March 11, 2013 12:34 PM
  • The only thing I could find was this

    http://technet.microsoft.com/en-us/security/bulletin/ms01-060

    which was fixed in SQL 2000 SP2, 11 years ago.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Monday, March 11, 2013 1:27 PM
  • If your network people want solid proof for that the issue might not have resurfaced you may be banging your head against the wall. The whole thing is silly anyway, since you can log in directly on the server, and inject things into RAISERROR if it would be that bad.

    The filter is of course meaningless - even if you would happen to have SQL 2000 SP2, since RAISERROR is required to create your stored procedures. If the network people don't understand their folly, talk with your manager and tell them you cannot work because of this, and then your manager has to talk to their manager and so on.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Monday, March 11, 2013 10:46 PM
  • Erland: Thanks for the comment. I think you have it right, and I will be excallating this to see if we can get it fixed.

    Thanks to all you took the time to reply,

    RK

    Thursday, March 14, 2013 2:30 PM