Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9a3f530

Browse files
committed
Fix possible buffer overrun and/or unportable behavior in pg_md5_encrypt()
if salt_len == 0. This seems to be mostly academic, since nearly all callingcode paths guarantee nonempty salt; the only case that doesn't isPQencryptPassword where the caller could mistakenly pass an empty username.So, fix it but don't bother backpatching. Per ljb.
1 parentc82fdb6 commit9a3f530

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

‎src/backend/libpq/md5.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
*Portions Copyright (c) 1994, Regents of the University of California
1515
*
1616
* IDENTIFICATION
17-
* $PostgreSQL: pgsql/src/backend/libpq/md5.c,v 1.36 2009/01/01 17:23:42 momjian Exp $
17+
* $PostgreSQL: pgsql/src/backend/libpq/md5.c,v 1.37 2009/09/15 02:31:15 tgl Exp $
1818
*/
1919

2020
/* This is intended to be used in both frontend and backend, so use c.h */
@@ -314,7 +314,8 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
314314
char*buf)
315315
{
316316
size_tpasswd_len=strlen(passwd);
317-
char*crypt_buf=malloc(passwd_len+salt_len);
317+
/* +1 here is just to avoid risk of unportable malloc(0) */
318+
char*crypt_buf=malloc(passwd_len+salt_len+1);
318319
boolret;
319320

320321
if (!crypt_buf)
@@ -324,7 +325,7 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
324325
* Place salt at the end because it may be known by users trying to crack
325326
* the MD5 output.
326327
*/
327-
strcpy(crypt_buf,passwd);
328+
memcpy(crypt_buf,passwd,passwd_len);
328329
memcpy(crypt_buf+passwd_len,salt,salt_len);
329330

330331
strcpy(buf,"md5");

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp