Skip site navigation (1) Skip section navigation (2)

Re: fix for palloc() of user-supplied length

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Neil Conway <neilc(at)samurai(dot)com>
Cc: Serguei Mokhov <mokhov(at)cs(dot)concordia(dot)ca>,PostgreSQL Patches <pgsql-patches(at)postgresql(dot)org>
Subject: Re: fix for palloc() of user-supplied length
Date: 2002-08-30 15:24:16
Message-ID: 200208301524.g7UFOHC01486@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Patch backed out.  Thanks.

---------------------------------------------------------------------------

Neil Conway wrote:
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > I have applied the following modified version of your patch.  The
> > original version would not apply to CVS.
> 
> Yes, the reason being that Tom removed the entire section of code that
> my patch modified (and that is the better solution, IMHO).
> 
> The patch you've applied does something rather different, and is
> unrelated to the "vulnerability" reported by Mordred and referred to
> in the Subject -- your patch adds some additional sanity checking when
> reading the password packet from v1 protocol clients. This is
> unnecessary for two reasons:
> 
>         (1) We use a StringInfo to hold the input data, which is
>             dynamically allocated as necessary. Since there's no
>             palloc() with user-supplied data, you'd need to write x
>             bytes to the backend to force it to allocate x bytes of
>             memory (i.e. potential for DoS is low).
> 
>         (2) The length supplied by the user is completely ignored by
>             the code, and it simply reads the input until it sees a
>             NULL terminator (read the comments in the code about 10
>             lines down.) Therefore, any sanity checking on the length
>             specified by the user is a waste of time.
> 
> You should probably back out your patch.
> 
> Cheers,
> 
> Neil
> 
> -- 
> Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
> 
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

pgsql-hackers by date

Next:From: Tom LaneDate: 2002-08-30 15:26:06
Subject: Re: Accessing original TupleDesc from SRF
Previous:From: Tom LaneDate: 2002-08-30 15:16:38
Subject: Re: Accessing original TupleDesc from SRF

pgsql-patches by date

Next:From: Karim MribtiDate: 2002-08-30 16:27:55
Subject: More spanish translation
Previous:From: Tom LaneDate: 2002-08-30 14:12:34
Subject: Re: Slightly reduce BufMgrLock contention

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group