From b0ce385032d72d6acf1e330f733013553fe6affe Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 18 May 2015 10:02:31 -0400 Subject: Prevent a double free by not reentering be_tls_close(). Reentering this function with the right timing caused a double free, typically crashing the backend. By synchronizing a disconnection with the authentication timeout, an unauthenticated attacker could achieve this somewhat consistently. Call be_tls_close() solely from within proc_exit_prepare(). Back-patch to 9.0 (all supported versions). Benkocs Norbert Attila Security: CVE-2015-3165 --- src/backend/libpq/be-secure-openssl.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'src/backend/libpq/be-secure-openssl.c') diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index f7f6618bc21..2646555f141 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -353,7 +353,6 @@ be_tls_open_server(Port *port) (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not initialize SSL connection: %s", SSLerrmessage()))); - be_tls_close(port); return -1; } if (!my_SSL_set_fd(port, port->sock)) @@ -362,7 +361,6 @@ be_tls_open_server(Port *port) (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not set SSL socket: %s", SSLerrmessage()))); - be_tls_close(port); return -1; } port->ssl_in_use = true; @@ -419,7 +417,6 @@ aloop: err))); break; } - be_tls_close(port); return -1; } @@ -449,7 +446,6 @@ aloop: { /* shouldn't happen */ pfree(peer_cn); - be_tls_close(port); return -1; } @@ -463,7 +459,6 @@ aloop: (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("SSL certificate's common name contains embedded null"))); pfree(peer_cn); - be_tls_close(port); return -1; } -- cgit v1.2.3