Re: pgsql: Fix low-risk potential denial of service against RADIUS login.

On 15 October 2010 16:03, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> Fix low-risk potential denial of service against RADIUS login.
>
> Corrupt RADIUS responses were treated as errors and not ignored
> (which the RFC2865 states they should be). This meant that a
> user with unfiltered access to the network of the PostgreSQL
> or RADIUS server could send a spoofed RADIUS response
> to the PostgreSQL server causing it to reject a valid login,
> provided the attacker could also guess (or brute-force) the
> correct port number.
>
> Fix is to simply retry the receive in a loop until the timeout
> has expired or a valid (signed by the correct RADIUS server)
> packet arrives.
>
> Reported by Alan DeKok in bug #5687.
>
> Branch
> ------
> master
>
> Details
> -------
> http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=0e7f7071e893bb171150e53271404b0819a40669
>
> Modified Files
> --------------
> src/backend/libpq/auth.c |  220 ++++++++++++++++++++++++++--------------------
> 1 files changed, 126 insertions(+), 94 deletions(-)

Should this...

timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) -
(now.tv_sec * 1000000 + now.tv_usec);

be parenthesised a bit more? Given operator precedence, I'm assuming
this makes it...

timeoutval = ((endtime.tv_sec * 1000000) + endtime.tv_usec) -
((now.tv_sec * 1000000) + now.tv_usec);

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935