Message-ID: From: "vlsi (@vlsi)" To: "pgjdbc/pgjdbc" Date: Tue, 26 May 2026 08:50:35 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #4016: feat: harden protocol reader against desynced streams (#4015) In-Reply-To: References: List-Id: X-GitHub-Author-Login: vlsi X-GitHub-Comment-Id: 4542367710 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 4016 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/4016#issuecomment-4542367710 Content-Type: text/plain; charset=utf-8 I pushed an update that narrows the configurable part further. The current split is: * protocol/envelope invariants always fail in every mode and mark the stream broken * `pgjdbc.protocolHardeningMode` only applies to four pgjdbc-chosen soft caps: * `NotificationResponse > 1 MiB` * `ParameterStatus > 1 MiB` * `AuthenticationRequest > 8 + 2 MiB` * `AuthenticationGSSContinue > 8 + 2 MiB` `readMessageLength(name, min, max)` now treats `max` as an unconditional protocol-derived hard cap. Soft caps are implemented as explicit inline checks through `failOnDesync(...)`, so the code mirrors the PR description. On the review/testing concern: I agree this needs careful review. Could you clarify what concrete testing or review evidence would make this mergeable? For example, would green CI plus the targeted malformed-stream tests in this PR be sufficient, or is there a specific external workload/environment you want exercised?