rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix two thinkos related to strong random keys. 

pg_backend_random() is used for MD5 salt generation, but it can fail, and
no checks were done on its status code.

Fix memory leak, if generating a random number for a cancel key failed.

Both issues were spotted by Coverity. Fix by Michael Paquier.
This commit is contained in:
Heikki Linnakangas 2016-12-12 09:58:32 +02:00
parent ad365b2f91
commit 41493bac36
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/backend/libpq/auth.c
View File

@ -715,7 +715,12 @@ CheckMD5Auth(Port *port, char **logdetail)
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
/* include the salt to use for computing the response */
pg_backend_random(md5Salt, 4);
if (!pg_backend_random(md5Salt, 4))
{
ereport(LOG,
(errmsg("could not acquire random number for MD5 salt.")));
return STATUS_ERROR;
}
sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);

1
src/backend/postmaster/postmaster.c
View File

@ -3901,6 +3901,7 @@ BackendStartup(Port *port)
*/
if (!RandomCancelKey(&MyCancelKey))
{
free(bn);
ereport(LOG,
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not acquire random number")));