| From: | Richard Guo <rguo(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Fix integer-overflow problem in scram_SaltedPassword() |
| Date: | 2025-03-26 08:47:57 |
| Message-ID: | E1txMQX-0013hu-0t@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Fix integer-overflow problem in scram_SaltedPassword()
Setting the iteration count for SCRAM secret generation to INT_MAX
will cause an infinite loop in scram_SaltedPassword() due to integer
overflow, as the loop uses the "i <= iterations" comparison. To fix,
use "i < iterations" instead.
Back-patch to v16 where the user-settable GUC scram_iterations has
been added.
Author: Kevin K Biju <kevinkbiju(at)gmail(dot)com>
Reviewed-by: Richard Guo <guofenglinux(at)gmail(dot)com>
Reviewed-by: Michael Paquier <michael(at)paquier(dot)xyz>
Discussion: https://postgr.es/m/CAM45KeEMm8hnxdTOxA98qhfZ9CzGDdgy3mxgJmy0c+2WwjA6Zg@mail.gmail.com
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/7c82b4f711877b175142bb2b2a6e2c2ee2429441
Modified Files
--------------
src/common/scram-common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Guo | 2025-03-26 08:50:31 | pgsql: Fix integer-overflow problem in scram_SaltedPassword() |
| Previous Message | Michael Paquier | 2025-03-26 06:21:19 | pgsql: Use relation name instead of OID in query jumbling for RangeTblE |