| From: | Neil Conway <neilc(at)samurai(dot)com> |
|---|---|
| To: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: @(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL |
| Date: | 2002-08-26 14:11:54 |
| Message-ID: | 873ct1pv4l.fsf@mailbox.samurai.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> template1=# select substring('xxxxxxxx',2,2147483647);
With CVS HEAD (with database encoding = SQL_ASCII and UNICODE), I get:
nconway=# select substring('xxxxxxxx',2,2147483647);
ERROR: negative substring length not allowed
With REL7_2_STABLE, I get:
template1=# select substring('xxxxxxxx',2,2147483647);
ERROR: MemoryContextAlloc: invalid request size 2147483651
> template1=# select bpchar('x',100000000);
With both CVS HEAD and REL7_2_STABLE, I get:
template1=# select bpchar('x',100000000);
zsh: 7312 segmentation fault (core dumped) ./psql template1
(note that it's the client, and not the backend, that crashes)
Although the backend does allocate a couple hundred megs of memory
while processing the query.
Although I haven't looked at the code yet, it's probably worth noting
that the two test cases posted above are not cut-and-dry DoS
opportunities, AFAICT -- however, the code may still be vulnerable.
Cheers,
Neil
--
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alessio Bragadini | 2002-08-26 14:21:04 | Re: Release of v7.2.2 (Was: Re: @(#)Mordred Labs ad...) |
| Previous Message | Tom Lane | 2002-08-26 14:00:48 | Re: [HACKERS] TODO Done. Superuser backend slot reservations |