Home > mailing lists

Re: @(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL - Mailing list pgsql-hackers

From	Neil Conway
Subject	Re: @(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL
Date	August 26, 2002 10:13:03
Msg-id	873ct1pv4l.fsf@mailbox.samurai.com Whole thread Raw
In response to	@(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL (Sir Mordred The Traitor <mordred@s-mail.com>)
List	pgsql-hackers

Tree view

Sir Mordred The Traitor <mordred@s-mail.com> writes:
> template1=# select substring('xxxxxxxx',2,2147483647);      

With CVS HEAD (with database encoding = SQL_ASCII and UNICODE), I get:

nconway=# select substring('xxxxxxxx',2,2147483647);
ERROR:  negative substring length not allowed

With REL7_2_STABLE, I get:

template1=# select substring('xxxxxxxx',2,2147483647);
ERROR:  MemoryContextAlloc: invalid request size 2147483651

> template1=# select bpchar('x',100000000); 

With both CVS HEAD and REL7_2_STABLE, I get:

template1=# select bpchar('x',100000000);
zsh: 7312 segmentation fault (core dumped)  ./psql template1

(note that it's the client, and not the backend, that crashes)

Although the backend does allocate a couple hundred megs of memory
while processing the query.

Although I haven't looked at the code yet, it's probably worth noting
that the two test cases posted above are not cut-and-dry DoS
opportunities, AFAICT -- however, the code may still be vulnerable.

Cheers,

Neil

-- 
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC

pgsql-hackers by date:

From: Tom Lane
Date: 26 August 2002, 10:00:50
Subject: Re: TODO Done. Superuser backend slot reservations

From: Alessio Bragadini
Date: 26 August 2002, 10:21:05
Subject: Re: Release of v7.2.2 (Was: Re: @(#)Mordred Labs ad...)

Re: @(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL - Mailing list pgsql-hackers

Previous

Next