1*4882a593SmuzhiyunFrom 586b074026d703c29057b04b1318e984701fe195 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Changqing Li <changqing.li@windriver.com> 3*4882a593SmuzhiyunDate: Thu, 2 Mar 2023 19:10:47 +0800 4*4882a593SmuzhiyunSubject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet 5*4882a593Smuzhiyun reception 6*4882a593Smuzhiyun 7*4882a593Smuzhiyunpqsecure_open_gss() includes a code path handling error messages with 8*4882a593Smuzhiyunv2-style protocol messages coming from the server. The client-side 9*4882a593Smuzhiyunbuffer holding the error message does not force a NULL-termination, with 10*4882a593Smuzhiyunthe data of the server getting copied to the errorMessage of the 11*4882a593Smuzhiyunconnection. Hence, it would be possible for a server to send an 12*4882a593Smuzhiyununterminated string and copy arbitrary bytes in the buffer receiving the 13*4882a593Smuzhiyunerror message in the client, opening the door to a crash or even data 14*4882a593Smuzhiyunexposure. 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunAs at this stage of the authentication process the exchange has not been 17*4882a593Smuzhiyuncompleted yet, this could be abused by an attacker without Kerberos 18*4882a593Smuzhiyuncredentials. Clients that have a valid kerberos cache are vulnerable as 19*4882a593Smuzhiyunlibpq opportunistically requests for it except if gssencmode is 20*4882a593Smuzhiyundisabled. 21*4882a593Smuzhiyun 22*4882a593SmuzhiyunAuthor: Jacob Champion 23*4882a593SmuzhiyunBackpatch-through: 12 24*4882a593SmuzhiyunSecurity: CVE-2022-41862 25*4882a593Smuzhiyun 26*4882a593SmuzhiyunUpstream-Status: Backport [https://github.com/postgres/postgres/commit/71c37797d7bd78266146a5829ab62b3687c47295] 27*4882a593SmuzhiyunCVE: CVE-2022-41862 28*4882a593Smuzhiyun 29*4882a593SmuzhiyunSigned-off-by: Changqing Li <changqing.li@windriver.com> 30*4882a593Smuzhiyun--- 31*4882a593Smuzhiyun src/interfaces/libpq/fe-secure-gssapi.c | 3 ++- 32*4882a593Smuzhiyun 1 file changed, 2 insertions(+), 1 deletion(-) 33*4882a593Smuzhiyun 34*4882a593Smuzhiyundiff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c 35*4882a593Smuzhiyunindex c783a53..a42ebc0 100644 36*4882a593Smuzhiyun--- a/src/interfaces/libpq/fe-secure-gssapi.c 37*4882a593Smuzhiyun+++ b/src/interfaces/libpq/fe-secure-gssapi.c 38*4882a593Smuzhiyun@@ -577,7 +577,8 @@ pqsecure_open_gss(PGconn *conn) 39*4882a593Smuzhiyun return result; 40*4882a593Smuzhiyun 41*4882a593Smuzhiyun PqGSSRecvLength += ret; 42*4882a593Smuzhiyun- 43*4882a593Smuzhiyun+ Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE); 44*4882a593Smuzhiyun+ PqGSSRecvBuffer[PqGSSRecvLength] = '\0'; 45*4882a593Smuzhiyun appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1); 46*4882a593Smuzhiyun 47*4882a593Smuzhiyun return PGRES_POLLING_FAILED; 48*4882a593Smuzhiyun-- 49*4882a593Smuzhiyun2.25.1 50*4882a593Smuzhiyun 51