gopkg/pgx
2
0
Fork 0
Code Activity

Do not allow protocol messages larger than ~1GB

Browse Source 
The PostgreSQL server will reject messages greater than ~1 GB anyway.
However, worse than that is that a message that is larger than 4 GB
could wrap the 32-bit integer message size and be interpreted by the
server as multiple messages. This could allow a malicious client to
inject arbitrary protocol messages.

https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv
This commit is contained in:
Jack Christensen
2024-03-02 11:24:16 -06:00
committed by Jack Christensen
parent c1b0a01ca7
commit adbb38f298
61 changed files with 472 additions and 390 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pgproto3/authentication_gss_continue.go
+3 -4
View File
@@ -31,12 +31,11 @@ func (a *AuthenticationGSSContinue) Decode(src []byte) error {
return nil
}
func (a *AuthenticationGSSContinue) Encode(dst []byte) []byte {
dst = append(dst, 'R')
dst = pgio.AppendInt32(dst, int32(len(a.Data))+8)
func (a *AuthenticationGSSContinue) Encode(dst []byte) ([]byte, error) {
dst, sp := beginMessage(dst, 'R')
dst = pgio.AppendUint32(dst, AuthTypeGSSCont)
dst = append(dst, a.Data...)
return dst
return finishMessage(dst, sp)
}
func (a *AuthenticationGSSContinue) MarshalJSON() ([]byte, error) {