NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commit36a3be6

committed

Fix new and latent bugs with errno handling in secure_read/secure_write.

These functions must be careful that they return the intended value oferrno to their callers. There were several scenarios where this mightnot happen:1. The recent SSL renegotiation patch added a hunk of code that wouldexecute after setting errno. In the first place, it's doubtful that weshould consider renegotiation to be successfully completed after a failure,and in the second, there's no real guarantee that the called OpenSSLroutines wouldn't clobber errno. Fix by not executing that hunk exceptduring success exit.2. errno was left in an unknown state in case of an unrecognized returncode from SSL_get_error(). While this is a "can't happen" case, it seemslike a good idea to be sure we know what would happen, so reset errno toECONNRESET in such cases. (The corresponding code in libpq's fe-secure.calready did this.)3. There was an (undocumented) assumption that client_read_ended() wouldn'tchange errno. While true in the current state of the code, this seems lessthan future-proof. Add explicit saving/restoring of errno to make surethat changes in the called functions won't break things.I see no need to back-patch, since#1 is new code and the other two issuesare mostly hypothetical.Per discussion with Amit Kapila.

1 parent08d1b22 commit36a3be6Copy full SHA for 36a3be6

File tree

2 files changed

+27

-16

lines changed

src/backend
- libpq
  - be-secure.c
- tcop
  - postgres.c

2 files changed

+27

-16

lines changed

`‎src/backend/libpq/be-secure.c`

Lines changed: 21 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -295,6 +295,7 @@ secure_read(Port port, void ptr, size_t len)`
`295`	`295`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`296`	`296`	`errmsg("unrecognized SSL error code: %d",`
`297`	`297`	`err)));`
	`298`	`+errno=ECONNRESET;`
`298`	`299`	`n=-1;`
`299`	`300`	`break;`
`300`	`301`	`}`
`@@ -416,28 +417,32 @@ secure_write(Port port, void ptr, size_t len)`
`416`	`417`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`417`	`418`	`errmsg("unrecognized SSL error code: %d",`
`418`	`419`	`err)));`
	`420`	`+errno=ECONNRESET;`
`419`	`421`	`n=-1;`
`420`	`422`	`break;`
`421`	`423`	`}`
`422`	`424`
`423`		`-/* is renegotiation complete? */`
`424`		`-if (in_ssl_renegotiation&&`
`425`		`-SSL_num_renegotiations(port->ssl) >=1)`
	`425`	`+if (n >=0)`
`426`	`426`	`{`
`427`		`-in_ssl_renegotiation= false;`
`428`		`-port->count=0;`
`429`		`-}`
	`427`	`+/* is renegotiation complete? */`
	`428`	`+if (in_ssl_renegotiation&&`
	`429`	`+SSL_num_renegotiations(port->ssl) >=1)`
	`430`	`+{`
	`431`	`+in_ssl_renegotiation= false;`
	`432`	`+port->count=0;`
	`433`	`+}`
`430`	`434`
`431`		`-/*`
`432`		`- * if renegotiation is still ongoing, and we've gone beyond the limit,`
`433`		`- * kill the connection now -- continuing to use it can be considered a`
`434`		`- * security problem.`
`435`		`- */`
`436`		`-if (in_ssl_renegotiation&&`
`437`		`-port->count>ssl_renegotiation_limit*1024L)`
`438`		`-ereport(FATAL,`
`439`		`-(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`440`		`-errmsg("SSL failed to renegotiate connection before limit expired")));`
	`435`	`+/*`
	`436`	`+ * if renegotiation is still ongoing, and we've gone beyond the`
	`437`	`+ * limit, kill the connection now -- continuing to use it can be`
	`438`	`+ * considered a security problem.`
	`439`	`+ */`
	`440`	`+if (in_ssl_renegotiation&&`
	`441`	`+port->count>ssl_renegotiation_limit*1024L)`
	`442`	`+ereport(FATAL,`
	`443`	`+(errcode(ERRCODE_PROTOCOL_VIOLATION),`
	`444`	`+errmsg("SSL failed to renegotiate connection before limit expired")));`
	`445`	`+}`
`441`	`446`	`}`
`442`	`447`	`else`
`443`	`448`	`#endif`

`‎src/backend/tcop/postgres.c`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -526,16 +526,22 @@ prepare_for_client_read(void)`
`526`	`526`
`527`	`527`	`/*`
`528`	`528`	`* client_read_ended -- get out of the client-input state`
	`529`	`+ *`
	`530`	`+ * This is called just after low-level reads. It must preserve errno!`
`529`	`531`	`*/`
`530`	`532`	`void`
`531`	`533`	`client_read_ended(void)`
`532`	`534`	`{`
`533`	`535`	`if (DoingCommandRead)`
`534`	`536`	`{`
	`537`	`+intsave_errno=errno;`
	`538`	`+`
`535`	`539`	`ImmediateInterruptOK= false;`
`536`	`540`
`537`	`541`	`DisableNotifyInterrupt();`
`538`	`542`	`DisableCatchupInterrupt();`
	`543`	`+`
	`544`	`+errno=save_errno;`
`539`	`545`	`}`
`540`	`546`	`}`
`541`	`547`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit36a3be6

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure.c`

`‎src/backend/tcop/postgres.c`

0 commit comments