summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane2009-09-15 02:31:15 +0000
committerTom Lane2009-09-15 02:31:15 +0000
commitda2fa6f8828fffe01c9a435e1d6cbeb02a76861e (patch)
tree8624a76301a7fabf657030128697c8980bf1112a
parent05754a951cc879435bd14fdd85eb8ad4c6a14920 (diff)
Fix possible buffer overrun and/or unportable behavior in pg_md5_encrypt()
if salt_len == 0. This seems to be mostly academic, since nearly all calling code paths guarantee nonempty salt; the only case that doesn't is PQencryptPassword where the caller could mistakenly pass an empty username. So, fix it but don't bother backpatching. Per ljb.
-rw-r--r--src/backend/libpq/md5.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/backend/libpq/md5.c b/src/backend/libpq/md5.c
index f77975d780..bb055565f9 100644
--- a/src/backend/libpq/md5.c
+++ b/src/backend/libpq/md5.c
@@ -314,7 +314,8 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
char *buf)
{
size_t passwd_len = strlen(passwd);
- char *crypt_buf = malloc(passwd_len + salt_len);
+ /* +1 here is just to avoid risk of unportable malloc(0) */
+ char *crypt_buf = malloc(passwd_len + salt_len + 1);
bool ret;
if (!crypt_buf)
@@ -324,7 +325,7 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
* Place salt at the end because it may be known by users trying to crack
* the MD5 output.
*/
- strcpy(crypt_buf, passwd);
+ memcpy(crypt_buf, passwd, passwd_len);
memcpy(crypt_buf + passwd_len, salt, salt_len);
strcpy(buf, "md5");