From 8ccc8957194938919be0944e49c3bf43c1b319ba Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 6 Feb 2023 11:20:07 +0900 Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet reception pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862 --- src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c index 7006ed58a12..aeb6e35dbdd 100644 --- a/src/interfaces/libpq/fe-secure-gssapi.c +++ b/src/interfaces/libpq/fe-secure-gssapi.c @@ -585,6 +585,8 @@ pqsecure_open_gss(PGconn *conn) PqGSSRecvLength += ret; + Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE); + PqGSSRecvBuffer[PqGSSRecvLength] = '\0'; appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1); return PGRES_POLLING_FAILED;