Re: fix for palloc() of user-supplied length
| От | Bruce Momjian |
|---|---|
| Тема | Re: fix for palloc() of user-supplied length |
| Дата | |
| Msg-id | 200208301524.g7UFOHC01486@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: fix for palloc() of user-supplied length (Neil Conway <neilc@samurai.com>) |
| Список | pgsql-patches |
Patch backed out. Thanks. --------------------------------------------------------------------------- Neil Conway wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > I have applied the following modified version of your patch. The > > original version would not apply to CVS. > > Yes, the reason being that Tom removed the entire section of code that > my patch modified (and that is the better solution, IMHO). > > The patch you've applied does something rather different, and is > unrelated to the "vulnerability" reported by Mordred and referred to > in the Subject -- your patch adds some additional sanity checking when > reading the password packet from v1 protocol clients. This is > unnecessary for two reasons: > > (1) We use a StringInfo to hold the input data, which is > dynamically allocated as necessary. Since there's no > palloc() with user-supplied data, you'd need to write x > bytes to the backend to force it to allocate x bytes of > memory (i.e. potential for DoS is low). > > (2) The length supplied by the user is completely ignored by > the code, and it simply reads the input until it sees a > NULL terminator (read the comments in the code about 10 > lines down.) Therefore, any sanity checking on the length > specified by the user is a waste of time. > > You should probably back out your patch. > > Cheers, > > Neil > > -- > Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
В списке pgsql-patches по дате отправления: