forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit71c3779
committed
Properly NULL-terminate GSS receive buffer on error packet reception
pqsecure_open_gss() includes a code path handling error messages withv2-style protocol messages coming from the server. The client-sidebuffer holding the error message does not force a NULL-termination, withthe data of the server getting copied to the errorMessage of theconnection. Hence, it would be possible for a server to send anunterminated string and copy arbitrary bytes in the buffer receiving theerror message in the client, opening the door to a crash or even dataexposure.As at this stage of the authentication process the exchange has not beencompleted yet, this could be abused by an attacker without Kerberoscredentials. Clients that have a valid kerberos cache are vulnerable aslibpq opportunistically requests for it except if gssencmode isdisabled.Author: Jacob ChampionBackpatch-through: 12Security:CVE-2022-418621 parent2f6e15a commit71c3779
1 file changed
+2
-0
lines changedLines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
573 | 573 | | |
574 | 574 | | |
575 | 575 | | |
| 576 | + | |
| 577 | + | |
576 | 578 | | |
577 | 579 | | |
578 | 580 | | |
| |||
0 commit comments
Comments
(0)