Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 46da7bf

Browse files
committed
Fix severe memory leaks in GSSAPI encryption support.
Both the backend and libpq leaked buffers containing encrypted data to be transmitted, so that the process size would grow roughly as the total amount of data sent. There were also far-less-critical leaks of the same sort in GSSAPI session establishment. Oversight in commit b0b39f7, which I failed to notice while reviewing the code in 2c0cdc8. Per complaint from pmc@citylink. Back-patch to v12 where this code was introduced. Discussion: https://postgr.es/m/20200504115649.GA77072@gate.oper.dinoex.org
1 parent d4329a6 commit 46da7bf

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

src/backend/libpq/be-secure-gssapi.c

+7
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,9 @@ be_gssapi_write(Port *port, void *ptr, size_t len)
215215

216216
memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
217217
PqGSSSendLength += output.length;
218+
219+
/* Release buffer storage allocated by GSSAPI */
220+
gss_release_buffer(&minor, &output);
218221
}
219222

220223
/* If we get here, our counters should all match up. */
@@ -371,6 +374,7 @@ be_gssapi_read(Port *port, void *ptr, size_t len)
371374
/* Our receive buffer is now empty, reset it */
372375
PqGSSRecvLength = 0;
373376

377+
/* Release buffer storage allocated by GSSAPI */
374378
gss_release_buffer(&minor, &output);
375379
}
376380

@@ -590,7 +594,10 @@ secure_open_gssapi(Port *port)
590594
*/
591595
if (ret < 0 &&
592596
!(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
597+
{
598+
gss_release_buffer(&minor, &output);
593599
return -1;
600+
}
594601

595602
/* Wait and retry if we couldn't write yet */
596603
if (ret <= 0)

src/interfaces/libpq/fe-secure-gssapi.c

+9
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,9 @@ pg_GSS_write(PGconn *conn, const void *ptr, size_t len)
232232

233233
memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
234234
PqGSSSendLength += output.length;
235+
236+
/* Release buffer storage allocated by GSSAPI */
237+
gss_release_buffer(&minor, &output);
235238
}
236239

237240
/* If we get here, our counters should all match up. */
@@ -241,6 +244,7 @@ pg_GSS_write(PGconn *conn, const void *ptr, size_t len)
241244
ret = bytes_sent;
242245

243246
cleanup:
247+
/* Release GSSAPI buffer storage, if we didn't already */
244248
if (output.value != NULL)
245249
gss_release_buffer(&minor, &output);
246250
return ret;
@@ -408,12 +412,14 @@ pg_GSS_read(PGconn *conn, void *ptr, size_t len)
408412
/* Our receive buffer is now empty, reset it */
409413
PqGSSRecvLength = 0;
410414

415+
/* Release buffer storage allocated by GSSAPI */
411416
gss_release_buffer(&minor, &output);
412417
}
413418

414419
ret = bytes_returned;
415420

416421
cleanup:
422+
/* Release GSSAPI buffer storage, if we didn't already */
417423
if (output.value != NULL)
418424
gss_release_buffer(&minor, &output);
419425
return ret;
@@ -652,6 +658,7 @@ pqsecure_open_gss(PGconn *conn)
652658
gss_release_cred(&minor, &conn->gcred);
653659
conn->gcred = GSS_C_NO_CREDENTIAL;
654660
conn->gssenc = true;
661+
gss_release_buffer(&minor, &output);
655662

656663
/*
657664
* Determine the max packet size which will fit in our buffer, after
@@ -676,6 +683,7 @@ pqsecure_open_gss(PGconn *conn)
676683
{
677684
pg_GSS_error(libpq_gettext("GSSAPI context establishment error"),
678685
conn, major, minor);
686+
gss_release_buffer(&minor, &output);
679687
return PGRES_POLLING_FAILED;
680688
}
681689

@@ -690,6 +698,7 @@ pqsecure_open_gss(PGconn *conn)
690698

691699
/* We don't bother with PqGSSSendConsumed here */
692700

701+
/* Release buffer storage allocated by GSSAPI */
693702
gss_release_buffer(&minor, &output);
694703

695704
/* Ask to be called again to write data */

0 commit comments

Comments
 (0)