Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitb674211

Browse files
committed
Fix buffer overflow when processing SCRAM final message in libpq
When a client connects to a rogue server sending specifically-craftedmessages, this can suffice to execute arbitrary code as the operatingsystem account used by the client.While on it, fix one error handling when decoding an incorrect saltincluded in the first message received from server.Author: Michael PaquierReviewed-by: Jonathan Katz, Heikki LinnakangasSecurity:CVE-2019-10164Backpatch-through: 10
1 parent09ec55b commitb674211

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

‎src/interfaces/libpq/fe-auth-scram.c

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -580,6 +580,12 @@ read_server_first_message(fe_scram_state *state, char *input)
580580
state->saltlen=pg_b64_decode(encoded_salt,
581581
strlen(encoded_salt),
582582
state->salt);
583+
if (state->saltlen<0)
584+
{
585+
printfPQExpBuffer(&conn->errorMessage,
586+
libpq_gettext("malformed SCRAM message (invalid salt)\n"));
587+
return false;
588+
}
583589

584590
iterations_str=read_attr_value(&input,'i',&conn->errorMessage);
585591
if (iterations_str==NULL)
@@ -610,6 +616,7 @@ read_server_final_message(fe_scram_state *state, char *input)
610616
{
611617
PGconn*conn=state->conn;
612618
char*encoded_server_signature;
619+
char*decoded_server_signature;
613620
intserver_signature_len;
614621

615622
state->server_final_message=strdup(input);
@@ -645,15 +652,27 @@ read_server_final_message(fe_scram_state *state, char *input)
645652
printfPQExpBuffer(&conn->errorMessage,
646653
libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));
647654

655+
server_signature_len=pg_b64_dec_len(strlen(encoded_server_signature));
656+
decoded_server_signature=malloc(server_signature_len);
657+
if (!decoded_server_signature)
658+
{
659+
printfPQExpBuffer(&conn->errorMessage,
660+
libpq_gettext("out of memory\n"));
661+
return false;
662+
}
663+
648664
server_signature_len=pg_b64_decode(encoded_server_signature,
649665
strlen(encoded_server_signature),
650-
state->ServerSignature);
666+
decoded_server_signature);
651667
if (server_signature_len!=SCRAM_KEY_LEN)
652668
{
669+
free(decoded_server_signature);
653670
printfPQExpBuffer(&conn->errorMessage,
654671
libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
655672
return false;
656673
}
674+
memcpy(state->ServerSignature,decoded_server_signature,SCRAM_KEY_LEN);
675+
free(decoded_server_signature);
657676

658677
return true;
659678
}

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp