From: | Christian Ullrich <chris(at)chrullrich(dot)net> |
---|---|
To: | Robbie Harwood <rharwood(at)redhat(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used |
Date: | 2016-03-24 15:57:33 |
Message-ID: | AM3PR06MB06966DD9FC34CE9643020DF9D4820@AM3PR06MB0696.eurprd06.prod.outlook.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs pgsql-hackers |
* From: Christian Ullrich
> * From: Robbie Harwood [mailto:rharwood(at)redhat(dot)com]
>
> > Christian Ullrich <chris(at)chrullrich(dot)net> writes:
> > > + /* Replace domainname with realm name. */
> > > + if (upnamerealmsize > domainnamesize)
> > > + {
> > > + pfree(upname);
> > > + ereport(LOG,
> > > + (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
> > > + errmsg("realm name too long")));
> > > + return STATUS_ERROR;
> > > + }
> > > +
> > > + /* Length is now safe. */
> > > + strcpy(domainname, p+1);
> >
> > Is this an actual fail state or something born out of convenience? A
> > naive reading of this code doesn't explain why it's forbidden for the
> > upn realm to be longer than the domain name.
>
> Because it's copied *into* domainname right there on the last line.
>
> That said, sizeof(domainname) is MAXPGPATH, which is 1024, so there is
> absolutely no chance that the realm could be longer -- it would need an
> AD forest at least 16 domains deep.
Oh, sorry, I misunderstood the question. Yes, it's due to convenience, but
a) it *is* rather convenient given the plentiful buffer I get, and
b) doing it differently involves char** inout parameters and potential
trouble with pointer aliasing in the caller, both things I'd rather avoid.
--
Christian
From | Date | Subject | |
---|---|---|---|
Next Message | Robbie Harwood | 2016-03-24 17:12:43 | Re: BUG #13854: SSPI authentication failure: wrong realm name used |
Previous Message | Christian Ullrich | 2016-03-24 15:44:37 | Re: BUG #13854: SSPI authentication failure: wrong realm name used |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2016-03-24 15:59:55 | Re: NOT EXIST for PREPARE |
Previous Message | Robert Haas | 2016-03-24 15:54:44 | Re: Show dropped users' backends in pg_stat_activity |