Re: [PATCHES] fix for palloc() of user-supplied length

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: [PATCHES] fix for palloc() of user-supplied length
Дата
Msg-id 14446.1030487568@sss.pgh.pa.us
обсуждение исходный текст
Ответы Re: [PATCHES] fix for palloc() of user-supplied length  (Neil Conway <neilc@samurai.com>)
Список pgsql-hackers
Neil Conway <neilc@samurai.com> writes:
> This patch fixes the so-called DoS possibility when processing the
> password packet in recv_and_check_passwordv0().

If len is signed, then something like "len < 1" needs to be in there
as well.

More generally, though, I was thinking that the appropriate answer at
this point is to rip out support for version-0 authentication
altogether.  I can't believe anyone will be trying to connect to a 7.3
or beyond server with 6.2 client libraries (v0 went away in 6.3 as best
I can tell from the CVS logs).  And if they try, it's not unreasonable
to force them to upgrade --- those old client libraries have got to be
pretty buggy themselves.  So the utility of the v0 backend code is
dubious, while its potential for more problems is real.

Anyone want to argue that we should keep the v0 protocol support
any longer?

            regards, tom lane

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Larry Rosenman
Дата:
Сообщение: Re: Proposed GUC Variable
Следующее
От: Tom Lane
Дата:
Сообщение: Re: Proposed GUC Variable