diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2009-09-15 02:31:15 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2009-09-15 02:31:15 +0000 |
| commit | 9a3f5301ff0e4721e560eea698702c690f8d70db (patch) | |
| tree | c175a8d2327c41283b51186f58aac43a78b963d7 | |
| parent | c82fdb698425ddeb9e0c7d2d01c2ce0bc3fb088f (diff) | |
| download | postgresql-9a3f5301ff0e4721e560eea698702c690f8d70db.tar.gz postgresql-9a3f5301ff0e4721e560eea698702c690f8d70db.zip | |
Fix possible buffer overrun and/or unportable behavior in pg_md5_encrypt()
if salt_len == 0. This seems to be mostly academic, since nearly all calling
code paths guarantee nonempty salt; the only case that doesn't is
PQencryptPassword where the caller could mistakenly pass an empty username.
So, fix it but don't bother backpatching. Per ljb.
| -rw-r--r-- | src/backend/libpq/md5.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/backend/libpq/md5.c b/src/backend/libpq/md5.c index 91cfe187ee9..5edee64026e 100644 --- a/src/backend/libpq/md5.c +++ b/src/backend/libpq/md5.c @@ -14,7 +14,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/md5.c,v 1.36 2009/01/01 17:23:42 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/md5.c,v 1.37 2009/09/15 02:31:15 tgl Exp $ */ /* This is intended to be used in both frontend and backend, so use c.h */ @@ -314,7 +314,8 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len, char *buf) { size_t passwd_len = strlen(passwd); - char *crypt_buf = malloc(passwd_len + salt_len); + /* +1 here is just to avoid risk of unportable malloc(0) */ + char *crypt_buf = malloc(passwd_len + salt_len + 1); bool ret; if (!crypt_buf) @@ -324,7 +325,7 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len, * Place salt at the end because it may be known by users trying to crack * the MD5 output. */ - strcpy(crypt_buf, passwd); + memcpy(crypt_buf, passwd, passwd_len); memcpy(crypt_buf + passwd_len, salt, salt_len); strcpy(buf, "md5"); |