Skip to content

Commit 27c464e

Browse files
michaelpqmichaelpq
committed
Fix buffer overflow when processing SCRAM final message in libpq
When a client connects to a rogue server sending specifically-crafted messages, this can suffice to execute arbitrary code as the operating system account used by the client. While on it, fix one error handling when decoding an incorrect salt included in the first message received from server. Author: Michael Paquier Reviewed-by: Jonathan Katz, Heikki Linnakangas Security: CVE-2019-10164 Backpatch-through: 10
1 parent 4c779ce commit 27c464e

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

src/interfaces/libpq/fe-auth-scram.c

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -586,6 +586,12 @@ read_server_first_message(fe_scram_state *state, char *input)
586586
state->saltlen = pg_b64_decode(encoded_salt,
587587
strlen(encoded_salt),
588588
state->salt);
589+
if (state->saltlen < 0)
590+
{
591+
printfPQExpBuffer(&conn->errorMessage,
592+
libpq_gettext("malformed SCRAM message (invalid salt)\n"));
593+
return false;
594+
}
589595

590596
iterations_str = read_attr_value(&input, 'i', &conn->errorMessage);
591597
if (iterations_str == NULL)
@@ -616,6 +622,7 @@ read_server_final_message(fe_scram_state *state, char *input)
616622
{
617623
PGconn *conn = state->conn;
618624
char *encoded_server_signature;
625+
char *decoded_server_signature;
619626
int server_signature_len;
620627

621628
state->server_final_message = strdup(input);
@@ -651,15 +658,27 @@ read_server_final_message(fe_scram_state *state, char *input)
651658
printfPQExpBuffer(&conn->errorMessage,
652659
libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));
653660

661+
server_signature_len = pg_b64_dec_len(strlen(encoded_server_signature));
662+
decoded_server_signature = malloc(server_signature_len);
663+
if (!decoded_server_signature)
664+
{
665+
printfPQExpBuffer(&conn->errorMessage,
666+
libpq_gettext("out of memory\n"));
667+
return false;
668+
}
669+
654670
server_signature_len = pg_b64_decode(encoded_server_signature,
655671
strlen(encoded_server_signature),
656-
state->ServerSignature);
672+
decoded_server_signature);
657673
if (server_signature_len != SCRAM_KEY_LEN)
658674
{
675+
free(decoded_server_signature);
659676
printfPQExpBuffer(&conn->errorMessage,
660677
libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
661678
return false;
662679
}
680+
memcpy(state->ServerSignature, decoded_server_signature, SCRAM_KEY_LEN);
681+
free(decoded_server_signature);
663682

664683
return true;
665684
}

0 commit comments

Comments
 (0)