Abort authentication if the client selected an invalid SASL mechanism.

Previously, the server would log an error, but then try to continue with
SCRAM-SHA-256 anyway.

Michael Paquier

Discussion: https://www.postgresql.org/message-id/CAB7nPqR0G5aF2_kc_LH29knVqwvmBc66TF5DicvpGVdke68nKw@mail.gmail.com

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index c895ba0c326f8dd571c4b4db9536b469d3df4918..5b68e3b7a16d3e50cb3427a3b8c7f63092a8c853 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -934,9 +934,13 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
                         */
                        selected_mech = pq_getmsgrawstring(&buf);
                        if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+                       {
                                ereport(COMMERROR,
                                                (errcode(ERRCODE_PROTOCOL_VIOLATION),
                                                 errmsg("client selected an invalid SASL authentication mechanism")));
+                               pfree(buf.data);
+                               return STATUS_ERROR;
+                       }
 
                        inputlen = pq_getmsgint(&buf, 4);
                        if (inputlen == -1)