NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9626325

committed

Add heuristic incoming-message-size limits in the server.

We had a report of confusing server behavior caused by a client bugthat sent junk to the server: the server thought the junk was avery long message length and waited patiently for data that wouldnever come. We can reduce the risk of that by being less trustingabout message lengths.For a long time, libpq has had a heuristic rule that it wouldn'tbelieve large message size words, except for a small number ofmessage types that are expected to be (potentially) long. Thisprovides some defense against loss of message-boundary sync andother corrupted-data cases. The server does something similar,except that up to now it only limited the lengths of messagesreceived during the connection authentication phase. Let'sdo the same as in libpq and put restrictions on the allowedlength of all messages, while distinguishing between messagetypes that are expected to be long and those that aren't.I used a limit of 10000 bytes for non-long messages. (libpq'scorresponding limit is 30000 bytes, but given the asymmetry ofthe FE/BE protocol, there's no good reason why the numbers shouldbe the same.) Experimentation suggests that this is at least afactor of 10, maybe a factor of 100, more than we really need;but plenty of daylight seems desirable to avoid false positives.In any case we can adjust the limit based on beta-test results.For long messages, set a limit of MaxAllocSize - 1, which is themost that we can absorb into the StringInfo buffer that the messageis collected in. This just serves to make sure that a bogus messagesize is reported as such, rather than as a confusing gripe aboutnot being able to enlarge a string buffer.While at it, make sure that non-mainline code paths (such asCOPY FROM STDIN) are as paranoid as SocketBackend is, and validatethe message type code before believing the message length.This provides an additional guard against getting stuck on corruptedinput.Discussion:https://postgr.es/m/2003757.1619373089@sss.pgh.pa.us

1 parentd6b8d29 commit9626325Copy full SHA for 9626325

File tree

6 files changed

+82

-19

lines changed

src
- backend
  - commands
    - copyfromparse.c
  - libpq
    - auth.c
    - pqcomm.c
  - replication
    - walsender.c
  - tcop
    - postgres.c
- include/libpq
  - libpq.h

6 files changed

+82

-19

lines changed

`‎src/backend/commands/copyfromparse.c`

Lines changed: 25 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,7 @@ CopyGetData(CopyFromState cstate, void *databuf, int minread, int maxread)`
`265`	`265`	`{`
`266`	`266`	`/* Try to receive another message */`
`267`	`267`	`intmtype;`
	`268`	`+intmaxmsglen;`
`268`	`269`
`269`	`270`	`readmessage:`
`270`	`271`	`HOLD_CANCEL_INTERRUPTS();`
`@@ -274,11 +275,33 @@ CopyGetData(CopyFromState cstate, void *databuf, int minread, int maxread)`
`274`	`275`	`ereport(ERROR,`
`275`	`276`	`(errcode(ERRCODE_CONNECTION_FAILURE),`
`276`	`277`	`errmsg("unexpected EOF on client connection with an open transaction")));`
`277`		`-if (pq_getmessage(cstate->fe_msgbuf,0))`
	`278`	`+/* Validate message type and set packet size limit */`
	`279`	`+switch (mtype)`
	`280`	`+{`
	`281`	`+case'd':/* CopyData */`
	`282`	`+maxmsglen=PQ_LARGE_MESSAGE_LIMIT;`
	`283`	`+break;`
	`284`	`+case'c':/* CopyDone */`
	`285`	`+case'f':/* CopyFail */`
	`286`	`+case'H':/* Flush */`
	`287`	`+case'S':/* Sync */`
	`288`	`+maxmsglen=PQ_SMALL_MESSAGE_LIMIT;`
	`289`	`+break;`
	`290`	`+default:`
	`291`	`+ereport(ERROR,`
	`292`	`+(errcode(ERRCODE_PROTOCOL_VIOLATION),`
	`293`	`+errmsg("unexpected message type 0x%02X during COPY from stdin",`
	`294`	`+mtype)));`
	`295`	`+maxmsglen=0;/* keep compiler quiet */`
	`296`	`+break;`
	`297`	`+}`
	`298`	`+/* Now collect the message body */`
	`299`	`+if (pq_getmessage(cstate->fe_msgbuf,maxmsglen))`
`278`	`300`	`ereport(ERROR,`
`279`	`301`	`(errcode(ERRCODE_CONNECTION_FAILURE),`
`280`	`302`	`errmsg("unexpected EOF on client connection with an open transaction")));`
`281`	`303`	`RESUME_CANCEL_INTERRUPTS();`
	`304`	`+/* ... and process it */`
`282`	`305`	`switch (mtype)`
`283`	`306`	`{`
`284`	`307`	`case'd':/* CopyData */`
`@@ -304,11 +327,7 @@ CopyGetData(CopyFromState cstate, void *databuf, int minread, int maxread)`
`304`	`327`	`*/`
`305`	`328`	`gotoreadmessage;`
`306`	`329`	`default:`
`307`		`-ereport(ERROR,`
`308`		`-(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`309`		`-errmsg("unexpected message type 0x%02X during COPY from stdin",`
`310`		`-mtype)));`
`311`		`-break;`
	`330`	`+Assert(false);/* NOT REACHED */`
`312`	`331`	`}`
`313`	`332`	`}`
`314`	`333`	`avail=cstate->fe_msgbuf->len-cstate->fe_msgbuf->cursor;`

`‎src/backend/libpq/auth.c`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,7 @@ static intPerformRadiusTransaction(const char server, const char secret, cons`
`210`	`210`
`211`	`211`	`/*`
`212`	`212`	`* Maximum accepted size of GSS and SSPI authentication tokens.`
	`213`	`+ * We also use this as a limit on ordinary password packet lengths.`
`213`	`214`	`*`
`214`	`215`	`* Kerberos tickets are usually quite small, but the TGTs issued by Windows`
`215`	`216`	`* domain controllers include an authorization field known as the Privilege`
`@@ -724,7 +725,7 @@ recv_password_packet(Port *port)`
`724`	`725`	`}`
`725`	`726`
`726`	`727`	`initStringInfo(&buf);`
`727`		`-if (pq_getmessage(&buf,0))/* receive password */`
	`728`	`+if (pq_getmessage(&buf,PG_MAX_AUTH_TOKEN_LENGTH))/* receive password */`
`728`	`729`	`{`
`729`	`730`	`/* EOF - pq_getmessage already logged a suitable message */`
`730`	`731`	`pfree(buf.data);`

`‎src/backend/libpq/pqcomm.c`

Lines changed: 2 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1203,7 +1203,7 @@ pq_is_reading_msg(void)`
`1203`	`1203`	`*is removed. Also, s->cursor is initialized to zero for convenience`
`1204`	`1204`	`*in scanning the message contents.`
`1205`	`1205`	`*`
`1206`		`- *Ifmaxlen isnot zero, it is an upper limit on the length of the`
	`1206`	`+ *maxlen isthe upper limit on the length of the`
`1207`	`1207`	`*message we are willing to accept. We abort the connection (by`
`1208`	`1208`	`*returning EOF) if client tries to send more than that.`
`1209`	`1209`	`*`
`@@ -1230,8 +1230,7 @@ pq_getmessage(StringInfo s, int maxlen)`
`1230`	`1230`
`1231`	`1231`	`len=pg_ntoh32(len);`
`1232`	`1232`
`1233`		`-if (len<4\|\|`
`1234`		`-(maxlen>0&&len>maxlen))`
	`1233`	`+if (len<4\|\|len>maxlen)`
`1235`	`1234`	`{`
`1236`	`1235`	`ereport(COMMERROR,`
`1237`	`1236`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`

`‎src/backend/replication/walsender.c`

Lines changed: 23 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1704,6 +1704,7 @@ static void`
`1704`	`1704`	`ProcessRepliesIfAny(void)`
`1705`	`1705`	`{`
`1706`	`1706`	`unsignedcharfirstchar;`
	`1707`	`+intmaxmsglen;`
`1707`	`1708`	`intr;`
`1708`	`1709`	`boolreceived= false;`
`1709`	`1710`
`@@ -1733,17 +1734,36 @@ ProcessRepliesIfAny(void)`
`1733`	`1734`	`break;`
`1734`	`1735`	`}`
`1735`	`1736`
	`1737`	`+/* Validate message type and set packet size limit */`
	`1738`	`+switch (firstchar)`
	`1739`	`+{`
	`1740`	`+case'd':`
	`1741`	`+maxmsglen=PQ_LARGE_MESSAGE_LIMIT;`
	`1742`	`+break;`
	`1743`	`+case'c':`
	`1744`	`+case'X':`
	`1745`	`+maxmsglen=PQ_SMALL_MESSAGE_LIMIT;`
	`1746`	`+break;`
	`1747`	`+default:`
	`1748`	`+ereport(FATAL,`
	`1749`	`+(errcode(ERRCODE_PROTOCOL_VIOLATION),`
	`1750`	`+errmsg("invalid standby message type \"%c\"",`
	`1751`	`+firstchar)));`
	`1752`	`+maxmsglen=0;/* keep compiler quiet */`
	`1753`	`+break;`
	`1754`	`+}`
	`1755`	`+`
`1736`	`1756`	`/* Read the message contents */`
`1737`	`1757`	`resetStringInfo(&reply_message);`
`1738`		`-if (pq_getmessage(&reply_message,0))`
	`1758`	`+if (pq_getmessage(&reply_message,maxmsglen))`
`1739`	`1759`	`{`
`1740`	`1760`	`ereport(COMMERROR,`
`1741`	`1761`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`1742`	`1762`	`errmsg("unexpected EOF on standby connection")));`
`1743`	`1763`	`proc_exit(0);`
`1744`	`1764`	`}`
`1745`	`1765`
`1746`		`-/Handle the very limited subset of commands expected in this phase /`
	`1766`	`+/... and process it /`
`1747`	`1767`	`switch (firstchar)`
`1748`	`1768`	`{`
`1749`	`1769`	`/*`
`@@ -1776,10 +1796,7 @@ ProcessRepliesIfAny(void)`
`1776`	`1796`	`proc_exit(0);`
`1777`	`1797`
`1778`	`1798`	`default:`
`1779`		`-ereport(FATAL,`
`1780`		`-(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`1781`		`-errmsg("invalid standby message type \"%c\"",`
`1782`		`-firstchar)));`
	`1799`	`+Assert(false);/* NOT REACHED */`
`1783`	`1800`	`}`
`1784`	`1801`	`}`
`1785`	`1802`

`‎src/backend/tcop/postgres.c`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -343,6 +343,7 @@ static int`
`343`	`343`	`SocketBackend(StringInfoinBuf)`
`344`	`344`	`{`
`345`	`345`	`intqtype;`
	`346`	`+intmaxmsglen;`
`346`	`347`
`347`	`348`	`/*`
`348`	`349`	`* Get message type code from the frontend.`
`@@ -375,45 +376,61 @@ SocketBackend(StringInfo inBuf)`
`375`	`376`	`/*`
`376`	`377`	`* Validate message type code before trying to read body; if we have lost`
`377`	`378`	`* sync, better to say "command unknown" than to run out of memory because`
`378`		`- * we used garbage as a length word.`
	`379`	`+ * we used garbage as a length word. We can also select a type-dependent`
	`380`	`+ * limit on what a sane length word could be. (The limit could be chosen`
	`381`	`+ * more granularly, but it's not clear it's worth fussing over.)`
`379`	`382`	`*`
`380`	`383`	`* This also gives us a place to set the doing_extended_query_message flag`
`381`	`384`	`* as soon as possible.`
`382`	`385`	`*/`
`383`	`386`	`switch (qtype)`
`384`	`387`	`{`
`385`	`388`	`case'Q':/* simple query */`
	`389`	`+maxmsglen=PQ_LARGE_MESSAGE_LIMIT;`
`386`	`390`	`doing_extended_query_message= false;`
`387`	`391`	`break;`
`388`	`392`
`389`	`393`	`case'F':/* fastpath function call */`
	`394`	`+maxmsglen=PQ_LARGE_MESSAGE_LIMIT;`
`390`	`395`	`doing_extended_query_message= false;`
`391`	`396`	`break;`
`392`	`397`
`393`	`398`	`case'X':/* terminate */`
	`399`	`+maxmsglen=PQ_SMALL_MESSAGE_LIMIT;`
`394`	`400`	`doing_extended_query_message= false;`
`395`	`401`	`ignore_till_sync= false;`
`396`	`402`	`break;`
`397`	`403`
`398`	`404`	`case'B':/* bind */`
	`405`	`+case'P':/* parse */`
	`406`	`+maxmsglen=PQ_LARGE_MESSAGE_LIMIT;`
	`407`	`+doing_extended_query_message= true;`
	`408`	`+break;`
	`409`	`+`
`399`	`410`	`case'C':/* close */`
`400`	`411`	`case'D':/* describe */`
`401`	`412`	`case'E':/* execute */`
`402`	`413`	`case'H':/* flush */`
`403`		`-case'P':/* parse */`
	`414`	`+maxmsglen=PQ_SMALL_MESSAGE_LIMIT;`
`404`	`415`	`doing_extended_query_message= true;`
`405`	`416`	`break;`
`406`	`417`
`407`	`418`	`case'S':/* sync */`
	`419`	`+maxmsglen=PQ_SMALL_MESSAGE_LIMIT;`
`408`	`420`	`/* stop any active skip-till-Sync */`
`409`	`421`	`ignore_till_sync= false;`
`410`	`422`	`/* mark not-extended, so that a new error doesn't begin skip */`
`411`	`423`	`doing_extended_query_message= false;`
`412`	`424`	`break;`
`413`	`425`
`414`	`426`	`case'd':/* copy data */`
	`427`	`+maxmsglen=PQ_LARGE_MESSAGE_LIMIT;`
	`428`	`+doing_extended_query_message= false;`
	`429`	`+break;`
	`430`	`+`
`415`	`431`	`case'c':/* copy done */`
`416`	`432`	`case'f':/* copy fail */`
	`433`	`+maxmsglen=PQ_SMALL_MESSAGE_LIMIT;`
`417`	`434`	`doing_extended_query_message= false;`
`418`	`435`	`break;`
`419`	`436`
`@@ -427,6 +444,7 @@ SocketBackend(StringInfo inBuf)`
`427`	`444`	`ereport(FATAL,`
`428`	`445`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`429`	`446`	`errmsg("invalid frontend message type %d",qtype)));`
	`447`	`+maxmsglen=0;/* keep compiler quiet */`
`430`	`448`	`break;`
`431`	`449`	`}`
`432`	`450`
`@@ -435,7 +453,7 @@ SocketBackend(StringInfo inBuf)`
`435`	`453`	`* after the type code; we can read the message contents independently of`
`436`	`454`	`* the type.`
`437`	`455`	`*/`
`438`		`-if (pq_getmessage(inBuf,0))`
	`456`	`+if (pq_getmessage(inBuf,maxmsglen))`
`439`	`457`	`returnEOF;/* suitable message already logged */`
`440`	`458`	`RESUME_CANCEL_INTERRUPTS();`
`441`	`459`

`‎src/include/libpq/libpq.h`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,15 @@`
`21`	`21`	`#include"storage/latch.h"`
`22`	`22`
`23`	`23`
	`24`	`+/*`
	`25`	`+ * Callers of pq_getmessage() must supply a maximum expected message size.`
	`26`	`+ * By convention, if there's not any specific reason to use another value,`
	`27`	`+ * use PQ_SMALL_MESSAGE_LIMIT for messages that shouldn't be too long, and`
	`28`	`+ * PQ_LARGE_MESSAGE_LIMIT for messages that can be long.`
	`29`	`+ */`
	`30`	`+#definePQ_SMALL_MESSAGE_LIMIT10000`
	`31`	`+#definePQ_LARGE_MESSAGE_LIMIT(MaxAllocSize - 1)`
	`32`	`+`
`24`	`33`	`typedefstruct`
`25`	`34`	`{`
`26`	`35`	`void(*comm_reset) (void);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9626325

File tree

6 files changed

6 files changed

`‎src/backend/commands/copyfromparse.c`

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/pqcomm.c`

`‎src/backend/replication/walsender.c`

`‎src/backend/tcop/postgres.c`

`‎src/include/libpq/libpq.h`

0 commit comments