git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
commit	b63f25bddfebc67b1e78f86341a6aecb0e9fe576
tree	6f81b1fd62877ca97df4020e70559783f0a66d3b	tree \| snapshot
parent	c55cea5290647c8d3e571893078664bbca955017	commit \| diff

Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket()

The handling of SSL and GSS negotiation messages in
ProcessStartupPacket() could cause a recursion of the backend,
ultimately crashing the server as the negotiation attempts were not
tracked across multiple calls processing startup packets.

A malicious client could therefore alternate rejected SSL and GSS
requests indefinitely, each adding a stack frame, until the backend
crashed with a stack overflow, taking down a server.

This commit addresses this issue by modifying ProcessStartupPacket() so
as processed negotiation attempts are tracked, preventing infinite
recursive attempts. A TAP test is added to check this problem, where
multiple SSL and GSS negotiated attempts are stacked.

Reported-by: Calif.io in collaboration with Claude and Anthropic
Research
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Security: CVE-2026-6479
Backpatch-through: 14

src/backend/tcop/backend_startup.c		diff \| blob \| blame \| history
src/test/postmaster/meson.build		diff \| blob \| blame \| history
src/test/postmaster/t/004_negotiate.pl	[new file with mode: 0644]	blob