git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:49 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:49 +0000 (05:13 -0700)
commit	66cf26b9e4be1b46a5039bb7ea37f65d1e52e763
tree	a29e9cf3f53fa1ac71e96abe1216a907b6757fbc	tree \| snapshot
parent	c2e6ef86317d372f8bbca42b830c70ff3f0da275	commit \| diff

Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket()

The handling of SSL and GSS negotiation messages in
ProcessStartupPacket() could cause a recursion of the backend,
ultimately crashing the server as the negotiation attempts were not
tracked across multiple calls processing startup packets.

A malicious client could therefore alternate rejected SSL and GSS
requests indefinitely, each adding a stack frame, until the backend
crashed with a stack overflow, taking down a server.

This commit addresses this issue by modifying ProcessStartupPacket() so
as processed negotiation attempts are tracked, preventing infinite
recursive attempts. A TAP test is added to check this problem, where
multiple SSL and GSS negotiated attempts are stacked.

Reported-by: Calif.io in collaboration with Claude and Anthropic
Research
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Security: CVE-2026-6479
Backpatch-through: 14

src/backend/postmaster/postmaster.c		diff \| blob \| blame \| history
src/test/Makefile		diff \| blob \| blame \| history
src/test/meson.build		diff \| blob \| blame \| history
src/test/postmaster/.gitignore	[new file with mode: 0644]	blob
src/test/postmaster/Makefile	[new file with mode: 0644]	blob
src/test/postmaster/README	[new file with mode: 0644]	blob
src/test/postmaster/meson.build	[new file with mode: 0644]	blob
src/test/postmaster/t/004_negotiate.pl	[new file with mode: 0644]	blob