Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit b674211

Browse files
michaelpqmichaelpq
committed
Fix buffer overflow when processing SCRAM final message in libpq
When a client connects to a rogue server sending specifically-crafted messages, this can suffice to execute arbitrary code as the operating system account used by the client. While on it, fix one error handling when decoding an incorrect salt included in the first message received from server. Author: Michael Paquier Reviewed-by: Jonathan Katz, Heikki Linnakangas Security: CVE-2019-10164 Backpatch-through: 10
1 parent 09ec55b commit b674211

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

src/interfaces/libpq/fe-auth-scram.c

+20-1
Original file line numberDiff line numberDiff line change
@@ -580,6 +580,12 @@ read_server_first_message(fe_scram_state *state, char *input)
580580
state->saltlen = pg_b64_decode(encoded_salt,
581581
strlen(encoded_salt),
582582
state->salt);
583+
if (state->saltlen < 0)
584+
{
585+
printfPQExpBuffer(&conn->errorMessage,
586+
libpq_gettext("malformed SCRAM message (invalid salt)\n"));
587+
return false;
588+
}
583589

584590
iterations_str = read_attr_value(&input, 'i', &conn->errorMessage);
585591
if (iterations_str == NULL)
@@ -610,6 +616,7 @@ read_server_final_message(fe_scram_state *state, char *input)
610616
{
611617
PGconn *conn = state->conn;
612618
char *encoded_server_signature;
619+
char *decoded_server_signature;
613620
int server_signature_len;
614621

615622
state->server_final_message = strdup(input);
@@ -645,15 +652,27 @@ read_server_final_message(fe_scram_state *state, char *input)
645652
printfPQExpBuffer(&conn->errorMessage,
646653
libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));
647654

655+
server_signature_len = pg_b64_dec_len(strlen(encoded_server_signature));
656+
decoded_server_signature = malloc(server_signature_len);
657+
if (!decoded_server_signature)
658+
{
659+
printfPQExpBuffer(&conn->errorMessage,
660+
libpq_gettext("out of memory\n"));
661+
return false;
662+
}
663+
648664
server_signature_len = pg_b64_decode(encoded_server_signature,
649665
strlen(encoded_server_signature),
650-
state->ServerSignature);
666+
decoded_server_signature);
651667
if (server_signature_len != SCRAM_KEY_LEN)
652668
{
669+
free(decoded_server_signature);
653670
printfPQExpBuffer(&conn->errorMessage,
654671
libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
655672
return false;
656673
}
674+
memcpy(state->ServerSignature, decoded_server_signature, SCRAM_KEY_LEN);
675+
free(decoded_server_signature);
657676

658677
return true;
659678
}

0 commit comments

Comments
 (0)