Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL - Mailing list pgsql-hackers

From Tom Lane
Subject Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Date
Msg-id 23333.1030374176@sss.pgh.pa.us
Whole thread Raw
In response to @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL  (Sir Mordred The Traitor <mordred@s-mail.com>)
Responses Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
List pgsql-hackers
Sir Mordred The Traitor <mordred@s-mail.com> writes:
> Note, that the size of palloced memory is taken from the user's input,
> which is stupid if you ask me.

Beyond causing an "out of memory" error during the handshake, I fail to
see how there can be any problem.  palloc is considerably more robust
than malloc.

> I dont want to provide any tools to illustrate this vulnerability.

Perhaps you haven't tried.

It may indeed make sense to put a range check here, but I'm getting
tired of hearing the words "dos attack" applied to conditions that
cannot be exploited to cause any real problem.  All you are
accomplishing is to spread FUD among people who aren't sufficiently
familiar with the code to evaluate the seriousness of problems...
        regards, tom lane


pgsql-hackers by date:

Previous
From: "Shridhar Daithankar"
Date:
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Next
From: Lamar Owen
Date:
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL