summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNoah Misch2023-01-21 14:08:00 +0000
committerNoah Misch2023-01-21 14:08:00 +0000
commite52daaabf8f1bf8096b0c105e2f719d9c68be3fa (patch)
tree1d52c85919c8056948442e9ea487d3760e1c31c2
parent03023a2664f8950ad522385ff75ce004bc932a7c (diff)
Reject CancelRequestPacket having unexpected length.
When the length was too short, the server read outside the allocation. That yielded the same log noise as sending the correct length with (backendPID,cancelAuthCode) matching nothing. Change to a message about the unexpected length. Given the attacker's lack of control over the memory layout and the general lack of diversity in memory layouts at the code in question, we doubt a would-be attacker could cause a segfault. Hence, while the report arrived via [email protected], this is not a vulnerability. Back-patch to v11 (all supported versions). Andrey Borodin, reviewed by Tom Lane. Reported by Andrey Borodin.
-rw-r--r--src/backend/postmaster/postmaster.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 448ce38a16..711efc35e3 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -2016,6 +2016,13 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
if (proto == CANCEL_REQUEST_CODE)
{
+ if (len != sizeof(CancelRequestPacket))
+ {
+ ereport(COMMERROR,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("invalid length of startup packet")));
+ return STATUS_ERROR;
+ }
processCancelRequest(port, buf);
/* Not really an error, but we don't want to proceed further */
return STATUS_ERROR;