Prevent a double free by not reentering be_tls_close().
Noah Misch <noah@leadboat.com>
Prevent a double free by not reentering be_tls_close(). Reentering this function with the right timing caused a double free, typically crashing the backend. By synchronizing a disconnection with the authentication timeout, an unauthenticated attacker could achieve this somewhat consistently. Call be_tls_close() solely from within proc_exit_prepare(). Back-patch to 9.0 (all supported versions). Benkocs Norbert Attila Security: CVE-2015-3165
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/libpq/be-secure-openssl.c | modified | +0 −5 |
| src/backend/libpq/pqcomm.c | modified | +18 −5 |
| src/backend/postmaster/postmaster.c | modified | +10 −1 |