diff options
| author | Noah Misch <noah@leadboat.com> | 2015-05-18 10:02:31 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2015-05-18 10:02:31 -0400 |
| commit | 16304a013432931e61e623c8d85e9fe24709d9ba (patch) | |
| tree | 8744b71d730def0f51abca8d488a4ddc6014144c /src/backend/libpq/auth.c | |
| parent | cac18a76bb6b08f1ecc2a85e46c9d2ab82dd9d23 (diff) | |
| download | postgresql-16304a013432931e61e623c8d85e9fe24709d9ba.tar.gz postgresql-16304a013432931e61e623c8d85e9fe24709d9ba.zip | |
Add error-throwing wrappers for the printf family of functions.
All known standard library implementations of these functions can fail
with ENOMEM. A caller neglecting to check for failure would experience
missing output, information exposure, or a crash. Check return values
within wrappers and code, currently just snprintf.c, that bypasses the
wrappers. The wrappers do not return after an error, so their callers
need not check. Back-patch to 9.0 (all supported versions).
Popular free software standard library implementations do take pains to
bypass malloc() in simple cases, but they risk ENOMEM for floating point
numbers, positional arguments, large field widths, and large precisions.
No specification demands such caution, so this commit regards every call
to a printf family function as a potential threat.
Injecting the wrappers implicitly is a compromise between patch scope
and design goals. I would prefer to edit each call site to name a
wrapper explicitly. libpq and the ECPG libraries would, ideally, convey
errors to the caller rather than abort(). All that would be painfully
invasive for a back-patched security fix, hence this compromise.
Security: CVE-2015-3166
Diffstat (limited to 'src/backend/libpq/auth.c')
0 files changed, 0 insertions, 0 deletions