git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 8 Nov 2021 16:01:43 +0000 (11:01 -0500)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 8 Nov 2021 16:01:43 +0000 (11:01 -0500)
commit	e92ed93e8eb76ee0701b42d4f0ce94e6af3fc741
tree	747c7536594cfb590e0b56a6cdf92c6d2c7defe9	tree
parent	7c0a78f089980cec45927aa3160add1781aed402	commit \| diff

Reject extraneous data after SSL or GSS encryption handshake.

The server collects up to a bufferload of data whenever it reads data
from the client socket. When SSL or GSS encryption is requested
during startup, any additional data received with the initial
request message remained in the buffer, and would be treated as
already-decrypted data once the encryption handshake completed.
Thus, a man-in-the-middle with the ability to inject data into the
TCP connection could stuff some cleartext data into the start of
a supposedly encryption-protected database session.

This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data. (However, a server relying on SSL certificate
authentication might well not do so.)

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23214

src/backend/libpq/pqcomm.c		diff \| blob \| blame \| history
src/backend/postmaster/postmaster.c		diff \| blob \| blame \| history
src/include/libpq/libpq.h		diff \| blob \| blame \| history