summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6fc8a7b)
raw | patch | inline | side by side (parent: 6fc8a7b)
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | |
| Tue, 30 Jan 2024 10:15:46 +0000 (11:15 +0100) | ||
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | |
| Tue, 30 Jan 2024 10:15:46 +0000 (11:15 +0100) |
The code copying the PGP block into the temp buffer failed to
account for the extra 2 bytes in the buffer which are needed
for the prefix. If the block was oversized, subsequent checks
of the prefix would have exceeded the buffer size. Since the
block sizes are hardcoded in the list of supported ciphers it
can be verified that there is no live bug here. Backpatch all
the way for consistency though, as this bug is old.
Author: Mikhail Gribkov <youzhick@gmail.com>
Discussion: https://postgr.es/m/CAMEv5_uWvcMCMdRFDsJLz2Q8g16HEa9xWyfrkr+FYMMFJhawOw@mail.gmail.com
Backpatch-through: v12
account for the extra 2 bytes in the buffer which are needed
for the prefix. If the block was oversized, subsequent checks
of the prefix would have exceeded the buffer size. Since the
block sizes are hardcoded in the list of supported ciphers it
can be verified that there is no live bug here. Backpatch all
the way for consistency though, as this bug is old.
Author: Mikhail Gribkov <youzhick@gmail.com>
Discussion: https://postgr.es/m/CAMEv5_uWvcMCMdRFDsJLz2Q8g16HEa9xWyfrkr+FYMMFJhawOw@mail.gmail.com
Backpatch-through: v12
| contrib/pgcrypto/pgp-decrypt.c | patch | blob | blame | history |
index d12dcad19452d3c651ea9a1711e16c8927cde7ac..e1ea5b3e58dcfba87cd44be7354364496ac0df2b 100644 (file)
uint8 tmpbuf[PGP_MAX_BLOCK + 2];
len = pgp_get_cipher_block_size(ctx->cipher_algo);
- if (len > sizeof(tmpbuf))
+ /* Make sure we have space for prefix */
+ if (len > PGP_MAX_BLOCK)
return PXE_BUG;
res = pullf_read_max(src, len + 2, &buf, tmpbuf);