summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a196e67)
raw | patch | inline | side by side (parent: a196e67)
| author | Tom Lane <tgl@sss.pgh.pa.us> | |
| Sat, 21 Feb 2015 17:59:25 +0000 (12:59 -0500) | ||
| committer | Tom Lane <tgl@sss.pgh.pa.us> | |
| Sat, 21 Feb 2015 17:59:39 +0000 (12:59 -0500) |
After finding an "=" character, the pointer was advanced twice when it
should only advance once. This is harmless as long as the value after "="
has at least one character; but if it doesn't, we'd miss the terminator
character and include too much in the value.
In principle this could lead to reading off the end of memory. It does not
seem worth treating as a security issue though, because it would happen on
client side, and besides client logic that's taking conninfo strings from
untrusted sources has much worse security problems than this.
Report and patch received off-list from Thomas Fanghaenel.
Back-patch to 9.2 where the faulty code was introduced.
should only advance once. This is harmless as long as the value after "="
has at least one character; but if it doesn't, we'd miss the terminator
character and include too much in the value.
In principle this could lead to reading off the end of memory. It does not
seem worth treating as a security issue though, because it would happen on
client side, and besides client logic that's taking conninfo strings from
untrusted sources has much worse security problems than this.
Report and patch received off-list from Thomas Fanghaenel.
Back-patch to 9.2 where the faulty code was introduced.
| src/interfaces/libpq/fe-connect.c | patch | blob | blame | history |
index c524661ec77b4326c69c9d95d0ed0fc00e45548b..1721b3146663dc95089205fd87fa1bca3aa955b7 100644 (file)
++p;
break;
}
-
- /* Advance, NUL is checked in the 'if' above */
- ++p;
+ else
+ ++p; /* Advance over all other bytes. */
}
keyword = conninfo_uri_decode(keyword, errorMessage);