Skip to content

P
Postgres FD Implementation
Commit c4d6bda2 authored by Bruce Momjian's avatar Bruce Momjian
Browse files
Options

There is a bug in aclinsert3 in the code which update the acl arrays. 

When an acl item is added or updated the new entry is deleted if it has no
permissions and the acl array is shrinked. This is is done by decrementing
the number of items without updating the corresponding array size.
The array with the incorrect size is later read by pg_aclcheck and the entry
count is used to allocate a new array while the array size is used to copy
the old one. This causes a memory corruption and a backend crash.
This happens only to normal user as the administrator bypasses acl checks.
Massimo Dal Zotto
parent 8299e755
Hide whitespace changes
Inline Side-by-side
Showing with 3 additions and 1 deletion
src/backend/utils/adt/acl.c
View file @ c4d6bda2
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.7 1996/11/17 04:26:59 momjian Exp $ * $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.8 1996/11/20 22:53:10 momjian Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -417,6 +417,8 @@ aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg) ...@@ -417,6 +417,8 @@ aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg)
new_aip[i-1].ai_mode = new_aip[i].ai_mode; new_aip[i-1].ai_mode = new_aip[i].ai_mode;
} }
ARR_DIMS(new_acl)[0] = num -1 ; ARR_DIMS(new_acl)[0] = num -1 ;
/* Adjust also the array size because it is used for memmove */
ARR_SIZE(new_acl) -= sizeof(AclItem);
break; break;
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment