Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Sir Mordred The Traitor <mordred(at)s-mail(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Date: 2002-08-26 15:02:56
Message-ID: 23333.1030374176@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> Note, that the size of palloced memory is taken from the user's input,
> which is stupid if you ask me.

Beyond causing an "out of memory" error during the handshake, I fail to
see how there can be any problem. palloc is considerably more robust
than malloc.

> I dont want to provide any tools to illustrate this vulnerability.

Perhaps you haven't tried.

It may indeed make sense to put a range check here, but I'm getting
tired of hearing the words "dos attack" applied to conditions that
cannot be exploited to cause any real problem. All you are
accomplishing is to spread FUD among people who aren't sufficiently
familiar with the code to evaluate the seriousness of problems...

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Lamar Owen 2002-08-26 15:18:48 Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Previous Message Shridhar Daithankar 2002-08-26 14:55:15 Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL