From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Neil Conway <neilc(at)samurai(dot)com> |
Cc: | PostgreSQL Patches <pgsql-patches(at)postgresql(dot)org>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: fix for palloc() of user-supplied length |
Date: | 2002-08-27 22:32:48 |
Message-ID: | 14446.1030487568@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
Neil Conway <neilc(at)samurai(dot)com> writes:
> This patch fixes the so-called DoS possibility when processing the
> password packet in recv_and_check_passwordv0().
If len is signed, then something like "len < 1" needs to be in there
as well.
More generally, though, I was thinking that the appropriate answer at
this point is to rip out support for version-0 authentication
altogether. I can't believe anyone will be trying to connect to a 7.3
or beyond server with 6.2 client libraries (v0 went away in 6.3 as best
I can tell from the CVS logs). And if they try, it's not unreasonable
to force them to upgrade --- those old client libraries have got to be
pretty buggy themselves. So the utility of the v0 backend code is
dubious, while its potential for more problems is real.
Anyone want to argue that we should keep the v0 protocol support
any longer?
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2002-08-27 22:34:40 | Re: Proposed GUC Variable |
Previous Message | Larry Rosenman | 2002-08-27 22:31:53 | Re: Proposed GUC Variable |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2002-08-27 22:34:40 | Re: Proposed GUC Variable |
Previous Message | Larry Rosenman | 2002-08-27 22:31:53 | Re: Proposed GUC Variable |