mirror of
https://github.com/postgres/postgres.git
synced 2025-06-10 09:21:54 +03:00
Fix possible buffer overrun and/or unportable behavior in pg_md5_encrypt()
if salt_len == 0. This seems to be mostly academic, since nearly all calling code paths guarantee nonempty salt; the only case that doesn't is PQencryptPassword where the caller could mistakenly pass an empty username. So, fix it but don't bother backpatching. Per ljb.
This commit is contained in:
parent
c82fdb6984
commit
9a3f5301ff
@ -14,7 +14,7 @@
|
|||||||
* Portions Copyright (c) 1994, Regents of the University of California
|
* Portions Copyright (c) 1994, Regents of the University of California
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $PostgreSQL: pgsql/src/backend/libpq/md5.c,v 1.36 2009/01/01 17:23:42 momjian Exp $
|
* $PostgreSQL: pgsql/src/backend/libpq/md5.c,v 1.37 2009/09/15 02:31:15 tgl Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* This is intended to be used in both frontend and backend, so use c.h */
|
/* This is intended to be used in both frontend and backend, so use c.h */
|
||||||
@ -314,7 +314,8 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
|
|||||||
char *buf)
|
char *buf)
|
||||||
{
|
{
|
||||||
size_t passwd_len = strlen(passwd);
|
size_t passwd_len = strlen(passwd);
|
||||||
char *crypt_buf = malloc(passwd_len + salt_len);
|
/* +1 here is just to avoid risk of unportable malloc(0) */
|
||||||
|
char *crypt_buf = malloc(passwd_len + salt_len + 1);
|
||||||
bool ret;
|
bool ret;
|
||||||
|
|
||||||
if (!crypt_buf)
|
if (!crypt_buf)
|
||||||
@ -324,7 +325,7 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
|
|||||||
* Place salt at the end because it may be known by users trying to crack
|
* Place salt at the end because it may be known by users trying to crack
|
||||||
* the MD5 output.
|
* the MD5 output.
|
||||||
*/
|
*/
|
||||||
strcpy(crypt_buf, passwd);
|
memcpy(crypt_buf, passwd, passwd_len);
|
||||||
memcpy(crypt_buf + passwd_len, salt, salt_len);
|
memcpy(crypt_buf + passwd_len, salt, salt_len);
|
||||||
|
|
||||||
strcpy(buf, "md5");
|
strcpy(buf, "md5");
|
||||||
|
Loading…
x
Reference in New Issue
Block a user