From 8f70de7e0106dc0df8b31994e2b3ad06691f5836 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Sat, 21 Jan 2023 06:08:00 -0800 Subject: [PATCH] Reject CancelRequestPacket having unexpected length. When the length was too short, the server read outside the allocation. That yielded the same log noise as sending the correct length with (backendPID,cancelAuthCode) matching nothing. Change to a message about the unexpected length. Given the attacker's lack of control over the memory layout and the general lack of diversity in memory layouts at the code in question, we doubt a would-be attacker could cause a segfault. Hence, while the report arrived via security@postgresql.org, this is not a vulnerability. Back-patch to v11 (all supported versions). Andrey Borodin, reviewed by Tom Lane. Reported by Andrey Borodin. --- src/backend/postmaster/postmaster.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index d0ccc909692..9ce86416cef 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -1978,6 +1978,13 @@ ProcessStartupPacket(Port *port, bool SSLdone) if (proto == CANCEL_REQUEST_CODE) { + if (len != sizeof(CancelRequestPacket)) + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("invalid length of startup packet"))); + return STATUS_ERROR; + } processCancelRequest(port, buf); /* Not really an error, but we don't want to proceed further */ return STATUS_ERROR; -- 2.39.5