]> git.ipfire.org Git - thirdparty/postgresql.git/commit
projects / thirdparty / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 16fda4d) | patch
Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket()
authorMichael Paquier <michael@paquier.xyz>
Mon, 11 May 2026 12:13:50 +0000 (05:13 -0700)
committerNoah Misch <noah@leadboat.com>
Mon, 11 May 2026 12:13:50 +0000 (05:13 -0700)
commit3fb66d3022f7bf89143f1452e030d86bd0e1f58e
treef25ca9d2ae8837bd8ec38eca644a997aa3ced9b2tree | snapshot
parent16fda4df63226fe0d5239fe13cdb5aec580c133fcommit | diff
Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket()

The handling of SSL and GSS negotiation messages in
ProcessStartupPacket() could cause a recursion of the backend,
ultimately crashing the server as the negotiation attempts were not
tracked across multiple calls processing startup packets.

A malicious client could therefore alternate rejected SSL and GSS
requests indefinitely, each adding a stack frame, until the backend
crashed with a stack overflow, taking down a server.

This commit addresses this issue by modifying ProcessStartupPacket() so
as processed negotiation attempts are tracked, preventing infinite
recursive attempts.  A TAP test is added to check this problem, where
multiple SSL and GSS negotiated attempts are stacked.

Reported-by: Calif.io in collaboration with Claude and Anthropic
Research
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Security: CVE-2026-6479
Backpatch-through: 14
src/backend/postmaster/postmaster.c diff | blob | blame | history
src/test/Makefile diff | blob | blame | history
src/test/postmaster/.gitignore [new file with mode: 0644] blob
src/test/postmaster/Makefile [new file with mode: 0644] blob
src/test/postmaster/README [new file with mode: 0644] blob
src/test/postmaster/t/004_negotiate.pl [new file with mode: 0644] blob
Mirror of https://git.postgresql.org/git/postgresql.git