database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-22 02:52:08 +03:00
Code Activity

Prevent a double free by not reentering be_tls_close().

Browse Source 
Reentering this function with the right timing caused a double free,
typically crashing the backend.  By synchronizing a disconnection with
the authentication timeout, an unauthenticated attacker could achieve
this somewhat consistently.  Call be_tls_close() solely from within
proc_exit_prepare().  Back-patch to 9.0 (all supported versions).

Benkocs Norbert Attila

Security: CVE-2015-3165
This commit is contained in:
Noah Misch
2015-05-18 10:02:31 -04:00
parent 8cc7a4c5fd
commit b0ce385032
3 changed files with 28 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/backend/libpq/be-secure-openssl.c
View File

@ -353,7 +353,6 @@ be_tls_open_server(Port *port)
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("could not initialize SSL connection: %s",
SSLerrmessage())));
be_tls_close(port);
return -1;
}
if (!my_SSL_set_fd(port, port->sock))
@ -362,7 +361,6 @@ be_tls_open_server(Port *port)
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("could not set SSL socket: %s",
SSLerrmessage())));
be_tls_close(port);
return -1;
}
port->ssl_in_use = true;
@ -419,7 +417,6 @@ aloop:
err)));
break;
}
be_tls_close(port);
return -1;
}
@ -449,7 +446,6 @@ aloop:
{
/* shouldn't happen */
pfree(peer_cn);
be_tls_close(port);
return -1;
}
@ -463,7 +459,6 @@ aloop:
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("SSL certificate's common name contains embedded null")));
pfree(peer_cn);
be_tls_close(port);
return -1;
}