Re: fix for palloc() of user-supplied length

Patch backed out. Thanks.

---------------------------------------------------------------------------

Neil Conway wrote:
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > I have applied the following modified version of your patch. The
> > original version would not apply to CVS.
>
> Yes, the reason being that Tom removed the entire section of code that
> my patch modified (and that is the better solution, IMHO).
>
> The patch you've applied does something rather different, and is
> unrelated to the "vulnerability" reported by Mordred and referred to
> in the Subject -- your patch adds some additional sanity checking when
> reading the password packet from v1 protocol clients. This is
> unnecessary for two reasons:
>
> (1) We use a StringInfo to hold the input data, which is
> dynamically allocated as necessary. Since there's no
> palloc() with user-supplied data, you'd need to write x
> bytes to the backend to force it to allocate x bytes of
> memory (i.e. potential for DoS is low).
>
> (2) The length supplied by the user is completely ignored by
> the code, and it simply reads the input until it sees a
> NULL terminator (read the comments in the code about 10
> lines down.) Therefore, any sanity checking on the length
> specified by the user is a waste of time.
>
> You should probably back out your patch.
>
> Cheers,
>
> Neil
>
> --
> Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
>
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073