Fix buffer overflow when processing SCRAM final message in libpq

When a client connects to a rogue server sending specifically-crafted messages, this can suffice to execute arbitrary code as the operating system account used by the client. While on it, fix one error handling when decoding an incorrect salt included in the first message received from server. Author: Michael Paquier Reviewed-by: Jonathan Katz, Heikki Linnakangas Security: CVE-2019-10164 Backpatch-through: 10

Fix buffer overflow when processing SCRAM final message in libpq
When a client connects to a rogue server sending specifically-crafted messages, this can suffice to execute arbitrary code as the operating system account used by the client. While on it, fix one error handling when decoding an incorrect salt included in the first message received from server. Author: Michael Paquier Reviewed-by: Jonathan Katz, Heikki Linnakangas Security: CVE-2019-10164 Backpatch-through: 10
b6742117 · Michael Paquier · 09ec55b9 · b6742117
Commit b6742117 authored Jun 17, 2019 by Michael Paquier
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 1 deletion

src/interfaces/libpq/fe-auth-scram.c src/interfaces/libpq/fe-auth-scram.c +20 -1

No files found.
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -580,6 +580,12 @@ read_server_first_message(fe_scram_state *state, char *input)
 	state->saltlen = pg_b64_decode(encoded_salt,
 								   strlen(encoded_salt),
 								   state->salt);
+	if (state->saltlen < 0)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("malformed SCRAM message (invalid salt)\n"));
+		return false;
+	}

 	iterations_str = read_attr_value(&input, 'i', &conn->errorMessage);
 	if (iterations_str == NULL)
@@ -610,6 +616,7 @@ read_server_final_message(fe_scram_state *state, char *input)
 {
 	PGconn	   *conn = state->conn;
 	char	   *encoded_server_signature;
+	char	   *decoded_server_signature;
 	int			server_signature_len;

 	state->server_final_message = strdup(input);
@@ -645,15 +652,27 @@ read_server_final_message(fe_scram_state *state, char *input)
 		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));

+	server_signature_len = pg_b64_dec_len(strlen(encoded_server_signature));
+	decoded_server_signature = malloc(server_signature_len);
+	if (!decoded_server_signature)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("out of memory\n"));
+		return false;
+	}
+
 	server_signature_len = pg_b64_decode(encoded_server_signature,
 										 strlen(encoded_server_signature),
-										 state->ServerSignature);
+										 decoded_server_signature);
 	if (server_signature_len != SCRAM_KEY_LEN)
 	{
+		free(decoded_server_signature);
 		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
 		return false;
 	}
+	memcpy(state->ServerSignature, decoded_server_signature, SCRAM_KEY_LEN);
+	free(decoded_server_signature);

 	return true;
 }