Home > mailing lists

Possible buffer overrun in src/backend/libpq/hba.c gethba_options() - Mailing list pgsql-hackers

From	Julian Hsiao
Subject	Possible buffer overrun in src/backend/libpq/hba.c gethba_options()
Date	November 13, 2018 05:02:22
Msg-id	CADnGQpzbkWdKS2YHNifwAvX5VEsJ5gW49U4o-7UL5pzyTv4vTg@mail.gmail.com Whole thread Raw
Responses	Re: Possible buffer overrun in src/backend/libpq/hba.c gethba_options() (Thomas Munro <thomas.munro@enterprisedb.com>)
List	pgsql-hackers

Tree view

Hi,

During a routine Coverity scan of our internal PostgreSQL fork, it
issued a buffer overrun warning for src/backend/libpq/hba.c,
gethba_options()[0]:

MAIN_ISSUE EventDescription: Overrunning array "options" of 12 8-byte
elements at element index 12 (byte offset 96) using index "noptions++"
(which evaluates to 12).
[...]
        if (hba->ldapscope)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapscope=%d", hba->ldapscope));
[...]

This is because earlier in the function[1], if hba->usermap,
hba->clientcert, and hba->pamservice were set then noptions would
exceed MAX_HBA_OPTIONS. Of course, if those options are mutually
exclusive with hba->auth_method == uaLDAP, then it's a false positive.
Is that the case, or should MAX_HBA_OPTIONS be increased?

Thanks.

[0] https://github.com/postgres/postgres/blob/master/src/backend/libpq/hba.c#L2307
[1] https://github.com/postgres/postgres/blob/master/src/backend/libpq/hba.c#L2249

pgsql-hackers by date:

From: Peter Geoghegan
Date: 13 November 2018, 04:47:45
Subject: Re: Making all nbtree entries unique by having heap TIDs participatein comparisons

From: "Yotsunaga, Naoki"
Date: 13 November 2018, 05:04:13
Subject: RE: [Proposal] Add accumulated statistics for wait event

Possible buffer overrun in src/backend/libpq/hba.c gethba_options() - Mailing list pgsql-hackers

Previous

Next