forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit3344582
committed
Fix double-free bug in GSS authentication.
The logic to free the buffer after the gss_init_sec_context() call wasalways a bit wonky. Because gss_init_sec_context() sets the GSS contextvariable, conn->gctx, we would in fact always attempt to free the buffer.That only works, because previously conn->ginbuf.value was initialized toNULL, and free(NULL) is a no-op. Commit61bf96c refactored things sothat the GSS input token buffer is allocated locally in pg_GSS_continue,and not held in the PGconn object. After that, the now-local ginbuf.valuevariable isn't initialized when it's not used, so we pass a bogus pointerto free().To fix, only try to free the input buffer if we allocated it. That was theintention, certainly after the refactoring, and probably even before that.But because there's no live bug before the refactoring, I refrained frombackpatching this.The bug was also independently reported by Graham Dutton, as bug #14690.Patch reviewed by Michael Paquier.Discussion:https://www.postgresql.org/message-id/6288d80e-a0bf-d4d3-4e12-7b79c77f1771%40iki.fiDiscussion:https://www.postgresql.org/message-id/20170605130954.1438.90535%40wrigleys.postgresql.org1 parentd4bfc06 commit3344582
1 file changed
+7
-2
lines changedLines changed: 7 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
133 | 133 | | |
134 | 134 | | |
135 | 135 | | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
136 | 141 | | |
137 | 142 | | |
138 | 143 | | |
| |||
142 | 147 | | |
143 | 148 | | |
144 | 149 | | |
145 | | - | |
| 150 | + | |
146 | 151 | | |
147 | 152 | | |
148 | 153 | | |
149 | 154 | | |
150 | 155 | | |
151 | | - | |
| 156 | + | |
152 | 157 | | |
153 | 158 | | |
154 | 159 | | |
| |||
0 commit comments
Comments
(0)