Skip to content

Commit d72a7e4

Browse files
michaelpqmichaelpq
committed
Fix buffer overflow when processing SCRAM final message in libpq
When a client connects to a rogue server sending specifically-crafted messages, this can suffice to execute arbitrary code as the operating system account used by the client. While on it, fix one error handling when decoding an incorrect salt included in the first message received from server. Author: Michael Paquier Reviewed-by: Jonathan Katz, Heikki Linnakangas Security: CVE-2019-10164 Backpatch-through: 10
1 parent 90adc16 commit d72a7e4

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

src/interfaces/libpq/fe-auth-scram.c

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -462,6 +462,12 @@ read_server_first_message(fe_scram_state *state, char *input,
462462
state->saltlen = pg_b64_decode(encoded_salt,
463463
strlen(encoded_salt),
464464
state->salt);
465+
if (state->saltlen < 0)
466+
{
467+
printfPQExpBuffer(errormessage,
468+
libpq_gettext("malformed SCRAM message (invalid salt)\n"));
469+
return false;
470+
}
465471

466472
iterations_str = read_attr_value(&input, 'i', errormessage);
467473
if (iterations_str == NULL)
@@ -492,6 +498,7 @@ read_server_final_message(fe_scram_state *state, char *input,
492498
PQExpBuffer errormessage)
493499
{
494500
char *encoded_server_signature;
501+
char *decoded_server_signature;
495502
int server_signature_len;
496503

497504
state->server_final_message = strdup(input);
@@ -525,15 +532,27 @@ read_server_final_message(fe_scram_state *state, char *input,
525532
printfPQExpBuffer(errormessage,
526533
libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));
527534

535+
server_signature_len = pg_b64_dec_len(strlen(encoded_server_signature));
536+
decoded_server_signature = malloc(server_signature_len);
537+
if (!decoded_server_signature)
538+
{
539+
printfPQExpBuffer(errormessage,
540+
libpq_gettext("out of memory\n"));
541+
return false;
542+
}
543+
528544
server_signature_len = pg_b64_decode(encoded_server_signature,
529545
strlen(encoded_server_signature),
530-
state->ServerSignature);
546+
decoded_server_signature);
531547
if (server_signature_len != SCRAM_KEY_LEN)
532548
{
549+
free(decoded_server_signature);
533550
printfPQExpBuffer(errormessage,
534551
libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
535552
return false;
536553
}
554+
memcpy(state->ServerSignature, decoded_server_signature, SCRAM_KEY_LEN);
555+
free(decoded_server_signature);
537556

538557
return true;
539558
}

0 commit comments

Comments
 (0)