NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9b5e831

committed

Check return values of sensitive system library calls.

PostgreSQL already checked the vast majority of these, missing thishandful that nearly cannot fail. If putenv() failed with ENOMEM inpg_GSS_recvauth(), authentication would proceed with the wrong keytabfile. If strftime() returned zero in cache_locale_time(), using theunspecified buffer contents could lead to information exposure or acrash. Back-patch to 9.0 (all supported versions).Other unchecked calls to these functions, especially those in frontendcode, pose negligible security concern. This patch does not addressthem. Nonetheless, it is always better to check return values whosespecification provides for indicating an error.In passing, fix an off-by-one error in strftime_win32()'s invocation ofWideCharToMultiByte(). Upon retrieving a value of exactly MAX_L10N_DATAbytes, strftime_win32() would overrun the caller's buffer by one byte.MAX_L10N_DATA is chosen to exceed the length of every possible value, sothe vulnerable scenario probably does not arise.Security:CVE-2015-3166

1 parentb08c7af commit9b5e831Copy full SHA for 9b5e831

File tree

2 files changed

+48

-33

lines changed

src/backend
- libpq
  - auth.c
- utils/adt
  - pg_locale.c

2 files changed

+48

-33

lines changed

`‎src/backend/libpq/auth.c`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1014,15 +1014,16 @@ pg_GSS_recvauth(Port *port)`
`1014`	`1014`	`size_tkt_len=strlen(pg_krb_server_keyfile)+14;`
`1015`	`1015`	`char*kt_path=malloc(kt_len);`
`1016`	`1016`
`1017`		`-if (!kt_path)`
	`1017`	`+if (!kt_path\|\|`
	`1018`	`+snprintf(kt_path,kt_len,"KRB5_KTNAME=%s",`
	`1019`	`+pg_krb_server_keyfile)!=kt_len-2\|\|`
	`1020`	`+putenv(kt_path)!=0)`
`1018`	`1021`	`{`
`1019`	`1022`	`ereport(LOG,`
`1020`	`1023`	`(errcode(ERRCODE_OUT_OF_MEMORY),`
`1021`	`1024`	`errmsg("out of memory")));`
`1022`	`1025`	`returnSTATUS_ERROR;`
`1023`	`1026`	`}`
`1024`		`-snprintf(kt_path,kt_len,"KRB5_KTNAME=%s",pg_krb_server_keyfile);`
`1025`		`-putenv(kt_path);`
`1026`	`1027`	`}`
`1027`	`1028`	`}`
`1028`	`1029`

`‎src/backend/utils/adt/pg_locale.c`

Lines changed: 44 additions & 30 deletions

Original file line number	Diff line number	Diff line change
`@@ -558,24 +558,34 @@ PGLC_localeconv(void)`
`558`	`558`	`* pg_strftime(), which isn't locale-aware and does not need to be replaced.`
`559`	`559`	`*/`
`560`	`560`	`staticsize_t`
`561`		`-strftime_win32(chardst,size_tdstlen,constwchar_tformat,conststructtm*tm)`
	`561`	`+strftime_win32(char*dst,size_tdstlen,`
	`562`	`+constcharformat,conststructtmtm)`
`562`	`563`	`{`
`563`	`564`	`size_tlen;`
	`565`	`+wchar_twformat[8];/* formats used below need 3 bytes */`
`564`	`566`	`wchar_twbuf[MAX_L10N_DATA];`
`565`	`567`	`intencoding;`
`566`	`568`
`567`	`569`	`encoding=GetDatabaseEncoding();`
`568`	`570`
`569`		`-len=wcsftime(wbuf,MAX_L10N_DATA,format,tm);`
	`571`	`+/* get a wchar_t version of the format string */`
	`572`	`+len=MultiByteToWideChar(CP_UTF8,0,format,-1,`
	`573`	`+wformat,lengthof(wformat));`
	`574`	`+if (len==0)`
	`575`	`+elog(ERROR,"could not convert format string from UTF-8: error code %lu",`
	`576`	`+GetLastError());`
	`577`	`+`
	`578`	`+len=wcsftime(wbuf,MAX_L10N_DATA,wformat,tm);`
`570`	`579`	`if (len==0)`
`571`	`580`
`572`	`581`	`/*`
`573`		`- * strftimecallfailed - return 0 with the contents of dst`
`574`		`- * unspecified`
	`582`	`+ * strftime failed, possibly because the result would not fit in`
	`583`	`+ *MAX_L10N_DATA. Return 0 with the contents of dstunspecified.`
`575`	`584`	`*/`
`576`	`585`	`return0;`
`577`	`586`
`578`		`-len=WideCharToMultiByte(CP_UTF8,0,wbuf,len,dst,dstlen,NULL,NULL);`
	`587`	`+len=WideCharToMultiByte(CP_UTF8,0,wbuf,len,dst,dstlen-1,`
	`588`	`+NULL,NULL);`
`579`	`589`	`if (len==0)`
`580`	`590`	`elog(ERROR,`
`581`	`591`	`"could not convert string to UTF-8:error %lu",GetLastError());`
`@@ -596,9 +606,33 @@ strftime_win32(char dst, size_t dstlen, const wchar_t format, const struct tm`
`596`	`606`	`}`
`597`	`607`
`598`	`608`	`/* redefine strftime() */`
`599`		`-#definestrftime(a,b,c,d) strftime_win32(a,b,L##c,d)`
	`609`	`+#definestrftime(a,b,c,d) strftime_win32(a,b,c,d)`
`600`	`610`	`#endif/* WIN32 */`
`601`	`611`
	`612`	`+/* Subroutine for cache_locale_time(). */`
	`613`	`+staticvoid`
	`614`	`+cache_single_time(char*dst,constcharformat,conststructtm*tm)`
	`615`	`+{`
	`616`	`+charbuf[MAX_L10N_DATA];`
	`617`	`+char*ptr;`
	`618`	`+`
	`619`	`+/*`
	`620`	`+ * MAX_L10N_DATA is sufficient buffer space for every known locale, and`
	`621`	`+ * POSIX defines no strftime() errors. (Buffer space exhaustion is not an`
	`622`	`+ * error.) An implementation might report errors (e.g. ENOMEM) by`
	`623`	`+ * returning 0 (or, less plausibly, a negative value) and setting errno.`
	`624`	`+ * Report errno just in case the implementation did that, but clear it in`
	`625`	`+ * advance of the call so we don't emit a stale, unrelated errno.`
	`626`	`+ */`
	`627`	`+errno=0;`
	`628`	`+if (strftime(buf,MAX_L10N_DATA,format,tm) <=0)`
	`629`	`+elog(ERROR,"strftime(%s) failed: %m",format);`
	`630`	`+`
	`631`	`+ptr=MemoryContextStrdup(TopMemoryContext,buf);`
	`632`	`+if (*dst)`
	`633`	`+pfree(*dst);`
	`634`	`+*dst=ptr;`
	`635`	`+}`
`602`	`636`
`603`	`637`	`/*`
`604`	`638`	`* Update the lc_time localization cache variables if needed.`
`@@ -609,8 +643,6 @@ cache_locale_time(void)`
`609`	`643`	`char*save_lc_time;`
`610`	`644`	`time_ttimenow;`
`611`	`645`	`structtm*timeinfo;`
`612`		`-charbuf[MAX_L10N_DATA];`
`613`		`-char*ptr;`
`614`	`646`	`inti;`
`615`	`647`
`616`	`648`	`#ifdefWIN32`
`@@ -657,35 +689,17 @@ cache_locale_time(void)`
`657`	`689`	`for (i=0;i<7;i++)`
`658`	`690`	`{`
`659`	`691`	`timeinfo->tm_wday=i;`
`660`		`-strftime(buf,MAX_L10N_DATA,"%a",timeinfo);`
`661`		`-ptr=MemoryContextStrdup(TopMemoryContext,buf);`
`662`		`-if (localized_abbrev_days[i])`
`663`		`-pfree(localized_abbrev_days[i]);`
`664`		`-localized_abbrev_days[i]=ptr;`
`665`		`-`
`666`		`-strftime(buf,MAX_L10N_DATA,"%A",timeinfo);`
`667`		`-ptr=MemoryContextStrdup(TopMemoryContext,buf);`
`668`		`-if (localized_full_days[i])`
`669`		`-pfree(localized_full_days[i]);`
`670`		`-localized_full_days[i]=ptr;`
	`692`	`+cache_single_time(&localized_abbrev_days[i],"%a",timeinfo);`
	`693`	`+cache_single_time(&localized_full_days[i],"%A",timeinfo);`
`671`	`694`	`}`
`672`	`695`
`673`	`696`	`/* localized months */`
`674`	`697`	`for (i=0;i<12;i++)`
`675`	`698`	`{`
`676`	`699`	`timeinfo->tm_mon=i;`
`677`	`700`	`timeinfo->tm_mday=1;/* make sure we don't have invalid date */`
`678`		`-strftime(buf,MAX_L10N_DATA,"%b",timeinfo);`
`679`		`-ptr=MemoryContextStrdup(TopMemoryContext,buf);`
`680`		`-if (localized_abbrev_months[i])`
`681`		`-pfree(localized_abbrev_months[i]);`
`682`		`-localized_abbrev_months[i]=ptr;`
`683`		`-`
`684`		`-strftime(buf,MAX_L10N_DATA,"%B",timeinfo);`
`685`		`-ptr=MemoryContextStrdup(TopMemoryContext,buf);`
`686`		`-if (localized_full_months[i])`
`687`		`-pfree(localized_full_months[i]);`
`688`		`-localized_full_months[i]=ptr;`
	`701`	`+cache_single_time(&localized_abbrev_months[i],"%b",timeinfo);`
	`702`	`+cache_single_time(&localized_full_months[i],"%B",timeinfo);`
`689`	`703`	`}`
`690`	`704`
`691`	`705`	`/* try to restore internal settings */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9b5e831

File tree

2 files changed

2 files changed

`‎src/backend/libpq/auth.c`

`‎src/backend/utils/adt/pg_locale.c`

0 commit comments