Perform StartupMessage length validation

PG provides a maximum size for a StartupMessage: https://doxygen.postgresql.org/pqcomm_8h.html#a4c50c668c551887ac3a49872130349e3 Limiting the size ensures a malicious user doesn't send an overwhelmingly large StartupMessage which could DOS a Go binary that uses pgproto3.
2020-01-23 10:54:03 -05:00
parent 7c9e840726
commit 2d3823838e
2 changed files with 72 additions and 0 deletions
@@ -35,6 +35,11 @@ type Backend struct {
 	authType   uint32
 }

+const (
+	minStartupPacketLen = 4     // minStartupPacketLen is a single 32-bit int version or code.
+	maxStartupPacketLen = 10000 // maxStartupPacketLen is MAX_STARTUP_PACKET_LENGTH from PG source.
+)
+
 // NewBackend creates a new Backend.
 func NewBackend(cr ChunkReader, w io.Writer) *Backend {
 	return &Backend{cr: cr, w: w}
@@ -56,6 +61,10 @@ func (b *Backend) ReceiveStartupMessage() (FrontendMessage, error) {
 	}
 	msgSize := int(binary.BigEndian.Uint32(buf) - 4)

+	if msgSize < minStartupPacketLen || msgSize > maxStartupPacketLen {
+		return nil, fmt.Errorf("invalid length of startup packet: %d", msgSize)
+	}
+
 	buf, err = b.cr.Next(msgSize)
 	if err != nil {
 		return nil, err