From da2fa6f8828fffe01c9a435e1d6cbeb02a76861e Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 15 Sep 2009 02:31:15 +0000 Subject: [PATCH] Fix possible buffer overrun and/or unportable behavior in pg_md5_encrypt() if salt_len == 0. This seems to be mostly academic, since nearly all calling code paths guarantee nonempty salt; the only case that doesn't is PQencryptPassword where the caller could mistakenly pass an empty username. So, fix it but don't bother backpatching. Per ljb. --- src/backend/libpq/md5.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/backend/libpq/md5.c b/src/backend/libpq/md5.c index f77975d780..bb055565f9 100644 --- a/src/backend/libpq/md5.c +++ b/src/backend/libpq/md5.c @@ -314,7 +314,8 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len, char *buf) { size_t passwd_len = strlen(passwd); - char *crypt_buf = malloc(passwd_len + salt_len); + /* +1 here is just to avoid risk of unportable malloc(0) */ + char *crypt_buf = malloc(passwd_len + salt_len + 1); bool ret; if (!crypt_buf) @@ -324,7 +325,7 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len, * Place salt at the end because it may be known by users trying to crack * the MD5 output. */ - strcpy(crypt_buf, passwd); + memcpy(crypt_buf, passwd, passwd_len); memcpy(crypt_buf + passwd_len, salt, salt_len); strcpy(buf, "md5"); -- 2.39.5