Prevent a double free by not reentering be_tls_close().

Noah Misch <noah@leadboat.com>

Commit: 7a0d48ac7f5ad660414f1b0b6a36cb2b2b7a3667
Author: Noah Misch <noah@leadboat.com>
Date: 2015-05-18T14:02:35Z
Releases: 9.4.2
Prevent a double free by not reentering be_tls_close().

Reentering this function with the right timing caused a double free,
typically crashing the backend.  By synchronizing a disconnection with
the authentication timeout, an unauthenticated attacker could achieve
this somewhat consistently.  Call be_tls_close() solely from within
proc_exit_prepare().  Back-patch to 9.0 (all supported versions).

Benkocs Norbert Attila

Security: CVE-2015-3165

Files

PathChange+/−
src/backend/libpq/be-secure.c modified +0 −5
src/backend/libpq/pqcomm.c modified +18 −5
src/backend/postmaster/postmaster.c modified +10 −1