| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_cryptohash_final possible out-of-bounds access (per Coverity) |
| Date: | 2021-02-11 22:55:45 |
| Message-ID: | CAEudQAr+Lub5bjpreCyPJSMJiTw5PXqApLa8hzuNTZWBXE3U7g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Em qui., 11 de fev. de 2021 às 09:47, Michael Paquier <michael(at)paquier(dot)xyz>
escreveu:
> On Wed, Feb 10, 2021 at 09:14:46AM -0300, Ranier Vilela wrote:
> > It is necessary to correct the interfaces. To caller, inform the size of
> > the buffer it created.
>
> Now, the patch you sent has no need to be that complicated, and it
> partially works while not actually solving at all the problem you are
> trying to solve (nothing done for MD5 or OpenSSL). Attached is an
> example of what I finish with while poking at this issue. There is IMO
> no point to touch the internals of SCRAM that all rely on the same
> digest lengths for the proof generation with SHA256.
>
Ok, I take a look at your patch and I have comments:
1. Looks missed contrib/pgcrypto.
2. scram_HMAC_final function still have a exchanged parameters,
which in the future may impair maintenance.
Attached the v3 same patch.
regards,
Ranier Vilela
| Attachment | Content-Type | Size |
|---|---|---|
| pg_cryptohash_v3.patch | application/octet-stream | 13.7 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Corey Huinker | 2021-02-11 23:36:49 | Re: parse_slash_copy doesn't support psql variables substitution |
| Previous Message | Melanie Plageman | 2021-02-11 22:02:18 | Re: Parallel Full Hash Join |