forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit626f2c1
committed
Properly NULL-terminate GSS receive buffer on error packet reception
pqsecure_open_gss() includes a code path handling error messages withv2-style protocol messages coming from the server. The client-sidebuffer holding the error message does not force a NULL-termination, withthe data of the server getting copied to the errorMessage of theconnection. Hence, it would be possible for a server to send anunterminated string and copy arbitrary bytes in the buffer receiving theerror message in the client, opening the door to a crash or even dataexposure.As at this stage of the authentication process the exchange has not beencompleted yet, this could be abused by an attacker without Kerberoscredentials. Clients that have a valid kerberos cache are vulnerable aslibpq opportunistically requests for it except if gssencmode isdisabled.Author: Jacob ChampionBackpatch-through: 12Security:CVE-2022-418621 parente8c2122 commit626f2c1
1 file changed
+2
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
578 | 578 | | |
579 | 579 | | |
580 | 580 | | |
| 581 | + | |
| 582 | + | |
581 | 583 | | |
582 | 584 | | |
583 | 585 | | |
| |||
0 commit comments
Comments
(0)