database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-07 00:36:50 +03:00
Code Activity

Guard against send-lots-and-lots-of-data DoS attack from unauthenticated

Browse Source 
users, by limiting the length of string we will accept for a password.
Patch by Serguei Mokhov, some editorializing by Tom Lane.
This commit is contained in:
Tom Lane
2002-09-04 23:31:35 +00:00
parent c5214b9f6c
commit 3f63787cbf
6 changed files with 38 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/backend/libpq/auth.c
View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.90 2002/09/04 20:31:18 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.91 2002/09/04 23:31:34 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -563,12 +563,11 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg, struct pam_re
{
sendAuthRequest(pam_port_cludge, AUTH_REQ_PASSWORD);
if (pq_eof() == EOF || pq_getint(&len, 4) == EOF)
{
return PAM_CONV_ERR; /* client didn't want to send password */
}
initStringInfo(&buf);
pq_getstr(&buf);
if (pq_getstr_bounded(&buf, 1000) == EOF)
return PAM_CONV_ERR; /* EOF while reading password */
/* Do not echo failed password to logs, for security. */
elog(DEBUG5, "received PAM packet");
@ -707,7 +706,7 @@ recv_and_check_password_packet(Port *port)
return STATUS_EOF; /* client didn't want to send password */
initStringInfo(&buf);
if (pq_getstr(&buf) == EOF) /* receive password */
if (pq_getstr_bounded(&buf, 1000) == EOF) /* receive password */
{
pfree(buf.data);
return STATUS_EOF;