Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit046c2c8

Browse files
committed
Reject extraneous data after SSL or GSS encryption handshake.
The server collects up to a bufferload of data whenever it reads datafrom the client socket. When SSL or GSS encryption is requestedduring startup, any additional data received with the initialrequest message remained in the buffer, and would be treated asalready-decrypted data once the encryption handshake completed.Thus, a man-in-the-middle with the ability to inject data into theTCP connection could stuff some cleartext data into the start ofa supposedly encryption-protected database session.This could be abused to send faked SQL commands to the server,although that would only work if the server did not demand anyauthentication data. (However, a server relying on SSL certificateauthentication might well not do so.)To fix, throw a protocol-violation error if the internal bufferis not empty after the encryption handshake.Our thanks to Jacob Champion for reporting this problem.Security:CVE-2021-23214
1 parent9b6194e commit046c2c8

File tree

3 files changed

+26
-0
lines changed

3 files changed

+26
-0
lines changed

‎src/backend/libpq/pqcomm.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1176,6 +1176,18 @@ pq_getstring(StringInfo s)
11761176
}
11771177
}
11781178

1179+
/* --------------------------------
1180+
*pq_buffer_has_data- is any buffered data available to read?
1181+
*
1182+
* This will *not* attempt to read more data.
1183+
* --------------------------------
1184+
*/
1185+
bool
1186+
pq_buffer_has_data(void)
1187+
{
1188+
return (PqRecvPointer<PqRecvLength);
1189+
}
1190+
11791191

11801192
/* --------------------------------
11811193
*pq_startmsgread - begin reading a message from the client.

‎src/backend/postmaster/postmaster.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2025,6 +2025,19 @@ ProcessStartupPacket(Port *port, bool SSLdone)
20252025
if (SSLok=='S'&&secure_open_server(port)==-1)
20262026
returnSTATUS_ERROR;
20272027
#endif
2028+
2029+
/*
2030+
* At this point we should have no data already buffered. If we do,
2031+
* it was received before we performed the SSL handshake, so it wasn't
2032+
* encrypted and indeed may have been injected by a man-in-the-middle.
2033+
* We report this case to the client.
2034+
*/
2035+
if (pq_buffer_has_data())
2036+
ereport(FATAL,
2037+
(errcode(ERRCODE_PROTOCOL_VIOLATION),
2038+
errmsg("received unencrypted data after SSL request"),
2039+
errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
2040+
20282041
/* regular startup packet, cancel, etc packet should follow... */
20292042
/* but not another SSL negotiation request */
20302043
returnProcessStartupPacket(port, true);

‎src/include/libpq/libpq.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ extern intpq_getmessage(StringInfo s, int maxlen);
7171
externintpq_getbyte(void);
7272
externintpq_peekbyte(void);
7373
externintpq_getbyte_if_available(unsignedchar*c);
74+
externboolpq_buffer_has_data(void);
7475
externintpq_putbytes(constchar*s,size_tlen);
7576

7677
/*

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp