Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket() The handling of SSL and GSS negotiation messages in ProcessStartupPacket() could cause a recursion of the backend, ultimately crashing the server as the negotiation attempts were not tracked across multiple calls processing startup packets.
A malicious client could therefore alternate rejected SSL and GSS requests indefinitely, each adding a stack frame, until the backend crashed with a stack overflow, taking down a server. This commit addresses this issue by modifying ProcessStartupPacket() so as processed negotiation attempts are tracked, preventing infinite recursive attempts. A TAP test is added to check this problem, where multiple SSL and GSS negotiated attempts are stacked. Reported-by: Calif.io in collaboration with Claude and Anthropic Research Author: Michael Paquier <[email protected]> Reviewed-by: Daniel Gustafsson <[email protected]> Security: CVE-2026-6479 Backpatch-through: 14 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/32a4ce55ccabe4c1e9b1e45d4efc1e62e69fc754 Author: Michael Paquier <[email protected]> Modified Files -------------- src/backend/tcop/backend_startup.c | 23 +++++++++- src/test/Makefile | 2 +- src/test/meson.build | 1 + src/test/postmaster/.gitignore | 2 + src/test/postmaster/Makefile | 23 ++++++++++ src/test/postmaster/README | 27 +++++++++++ src/test/postmaster/meson.build | 12 +++++ src/test/postmaster/t/004_negotiate.pl | 82 ++++++++++++++++++++++++++++++++++ 8 files changed, 169 insertions(+), 3 deletions(-)
