From fd97bd411d1da45b79e63c2124741f8e82cc5a5c Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 18 May 2015 10:02:31 -0400 Subject: Check return values of sensitive system library calls. PostgreSQL already checked the vast majority of these, missing this handful that nearly cannot fail. If putenv() failed with ENOMEM in pg_GSS_recvauth(), authentication would proceed with the wrong keytab file. If strftime() returned zero in cache_locale_time(), using the unspecified buffer contents could lead to information exposure or a crash. Back-patch to 9.0 (all supported versions). Other unchecked calls to these functions, especially those in frontend code, pose negligible security concern. This patch does not address them. Nonetheless, it is always better to check return values whose specification provides for indicating an error. In passing, fix an off-by-one error in strftime_win32()'s invocation of WideCharToMultiByte(). Upon retrieving a value of exactly MAX_L10N_DATA bytes, strftime_win32() would overrun the caller's buffer by one byte. MAX_L10N_DATA is chosen to exceed the length of every possible value, so the vulnerable scenario probably does not arise. Security: CVE-2015-3166 --- src/backend/libpq/auth.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'src/backend/libpq/auth.c') diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 28b050af0e2..40f30229c05 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -811,15 +811,16 @@ pg_GSS_recvauth(Port *port) size_t kt_len = strlen(pg_krb_server_keyfile) + 14; char *kt_path = malloc(kt_len); - if (!kt_path) + if (!kt_path || + snprintf(kt_path, kt_len, "KRB5_KTNAME=%s", + pg_krb_server_keyfile) != kt_len - 2 || + putenv(kt_path) != 0) { ereport(LOG, (errcode(ERRCODE_OUT_OF_MEMORY), errmsg("out of memory"))); return STATUS_ERROR; } - snprintf(kt_path, kt_len, "KRB5_KTNAME=%s", pg_krb_server_keyfile); - putenv(kt_path); } } -- cgit v1.2.3