git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 8 Nov 2021 16:01:43 +0000 (11:01 -0500)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 8 Nov 2021 16:01:43 +0000 (11:01 -0500)
commit	9ae0f1112954989e955b4b29e4580216eccfcee4
tree	e7f9f557099e85c2c84b07855863aa653e80d344	tree
parent	c3bda112ebe20fe47da44ae644a77a1aef5083bf	commit \| diff

Reject extraneous data after SSL or GSS encryption handshake.

The server collects up to a bufferload of data whenever it reads data
from the client socket. When SSL or GSS encryption is requested
during startup, any additional data received with the initial
request message remained in the buffer, and would be treated as
already-decrypted data once the encryption handshake completed.
Thus, a man-in-the-middle with the ability to inject data into the
TCP connection could stuff some cleartext data into the start of
a supposedly encryption-protected database session.

This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data. (However, a server relying on SSL certificate
authentication might well not do so.)

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23214

src/backend/libpq/pqcomm.c		diff \| blob \| blame \| history
src/backend/postmaster/postmaster.c		diff \| blob \| blame \| history
src/include/libpq/libpq.h		diff \| blob \| blame \| history