Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 71c3779

Browse filesBrowse files
michaelpqmichaelpq
committed
Properly NULL-terminate GSS receive buffer on error packet reception
pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
1 parent 2f6e15a commit 71c3779
Copy full SHA for 71c3779

File tree

1 file changed

+2
-0
lines changed
Filter options

1 file changed

+2
-0
lines changed

‎src/interfaces/libpq/fe-secure-gssapi.c

Copy file name to clipboardExpand all lines: src/interfaces/libpq/fe-secure-gssapi.c
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -573,6 +573,8 @@ pqsecure_open_gss(PGconn *conn)
573573

574574
PqGSSRecvLength += ret;
575575

576+
Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
577+
PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
576578
appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
577579

578580
return PGRES_POLLING_FAILED;

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.