NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitd72a7e4

committed

Fix buffer overflow when processing SCRAM final message in libpq

When a client connects to a rogue server sending specifically-craftedmessages, this can suffice to execute arbitrary code as the operatingsystem account used by the client.While on it, fix one error handling when decoding an incorrect saltincluded in the first message received from server.Author: Michael PaquierReviewed-by: Jonathan Katz, Heikki LinnakangasSecurity:CVE-2019-10164Backpatch-through: 10

1 parent90adc16 commitd72a7e4Copy full SHA for d72a7e4

File tree

1 file changed

+20

-1

lines changed

src/interfaces/libpq
- fe-auth-scram.c

1 file changed

+20

-1

lines changed

`‎src/interfaces/libpq/fe-auth-scram.c`

Lines changed: 20 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -462,6 +462,12 @@ read_server_first_message(fe_scram_state state, char input,`
`462`	`462`	`state->saltlen=pg_b64_decode(encoded_salt,`
`463`	`463`	`strlen(encoded_salt),`
`464`	`464`	`state->salt);`
	`465`	`+if (state->saltlen<0)`
	`466`	`+{`
	`467`	`+printfPQExpBuffer(errormessage,`
	`468`	`+libpq_gettext("malformed SCRAM message (invalid salt)\n"));`
	`469`	`+return false;`
	`470`	`+}`
`465`	`471`
`466`	`472`	`iterations_str=read_attr_value(&input,'i',errormessage);`
`467`	`473`	`if (iterations_str==NULL)`
`@@ -492,6 +498,7 @@ read_server_final_message(fe_scram_state state, char input,`
`492`	`498`	`PQExpBuffererrormessage)`
`493`	`499`	`{`
`494`	`500`	`char*encoded_server_signature;`
	`501`	`+char*decoded_server_signature;`
`495`	`502`	`intserver_signature_len;`
`496`	`503`
`497`	`504`	`state->server_final_message=strdup(input);`
`@@ -525,15 +532,27 @@ read_server_final_message(fe_scram_state state, char input,`
`525`	`532`	`printfPQExpBuffer(errormessage,`
`526`	`533`	`libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));`
`527`	`534`
	`535`	`+server_signature_len=pg_b64_dec_len(strlen(encoded_server_signature));`
	`536`	`+decoded_server_signature=malloc(server_signature_len);`
	`537`	`+if (!decoded_server_signature)`
	`538`	`+{`
	`539`	`+printfPQExpBuffer(errormessage,`
	`540`	`+libpq_gettext("out of memory\n"));`
	`541`	`+return false;`
	`542`	`+}`
	`543`	`+`
`528`	`544`	`server_signature_len=pg_b64_decode(encoded_server_signature,`
`529`	`545`	`strlen(encoded_server_signature),`
`530`		`-state->ServerSignature);`
	`546`	`+decoded_server_signature);`
`531`	`547`	`if (server_signature_len!=SCRAM_KEY_LEN)`
`532`	`548`	`{`
	`549`	`+free(decoded_server_signature);`
`533`	`550`	`printfPQExpBuffer(errormessage,`
`534`	`551`	`libpq_gettext("malformed SCRAM message (invalid server signature)\n"));`
`535`	`552`	`return false;`
`536`	`553`	`}`
	`554`	`+memcpy(state->ServerSignature,decoded_server_signature,SCRAM_KEY_LEN);`
	`555`	`+free(decoded_server_signature);`
`537`	`556`
`538`	`557`	`return true;`
`539`	`558`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd72a7e4

File tree

1 file changed

1 file changed

`‎src/interfaces/libpq/fe-auth-scram.c`

0 commit comments