Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1vxK3l-008Ph2-25
	for pgsql-bugs@arkaria.postgresql.org;
	Tue, 03 Mar 2026 07:20:49 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1vxK3j-005AGJ-2i
	for pgsql-bugs@arkaria.postgresql.org;
	Tue, 03 Mar 2026 07:20:48 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <michael@paquier.xyz>)
	id 1vxK3j-005AGA-00
	for pgsql-bugs@lists.postgresql.org;
	Tue, 03 Mar 2026 07:20:47 +0000
Received: from fout-a6-smtp.messagingengine.com ([103.168.172.149])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <michael@paquier.xyz>)
	id 1vxK3g-000000008wB-2p2n
	for pgsql-bugs@lists.postgresql.org;
	Tue, 03 Mar 2026 07:20:47 +0000
Received: from phl-compute-08.internal (phl-compute-08.internal [10.202.2.48])
	by mailfout.phl.internal (Postfix) with ESMTP id 63191EC0623;
	Tue,  3 Mar 2026 02:20:43 -0500 (EST)
Received: from phl-frontend-04 ([10.202.2.163])
  by phl-compute-08.internal (MEProxy); Tue, 03 Mar 2026 02:20:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h=
	cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm1; t=1772522443; x=1772608843; bh=WvgSGZnpga
	wsWiYYQbmlsYfJPTcdr4sSwL+0qh/veVo=; b=SHGTtNuXlbhLj4ai6iwkJyzqUi
	4Tazi44VH9LIoxNYrI1Xn7yIgikD9C8Nrb/mjml859UQKTfGUKl5zc6iEm/1BlO8
	ckLe3EHWV38hG2z6W17qD+ndISSYLZKmiUHKreYbpn4gG/aW/nYWrXX/oWA+KWg1
	HWlKQWCFKft3Zsb5vSzNVafOp+SQtaAIUqZYU9ViinNOW3mFwDViSB1H9FF5fgY2
	ISzzSwQbTxHaR8Rh0rw+2I9NmLEfOtjl5GVLnQP19lQxJk/uyGghYTyBWmVFoWpM
	D6X9rDK/4LwLnhM2DLqhDyZ/qM2ctOE0rTcLICzpQjxYmUxAkqEaBBJlhICg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
	1772522443; x=1772608843; bh=WvgSGZnpgawsWiYYQbmlsYfJPTcdr4sSwL+
	0qh/veVo=; b=HlstBMKxiE9Bp4qkr4/stXWHu/mqgVgiV8IsSr1PWacy3iJ3J6h
	u0865UOSzsZNg6Pjhe437GR8XZEtD1ECVRLAceNFZVPfrf7JgJ0YLEnUK9AczRdS
	ADk4LXVjehQvsUyPDFD3HRGJI9zJoFSAw8fagWGgFcGx7B2/UW0WTbZAuNpbh/kr
	F1os2+twv9aKjGYlZv1ZA+5hq433CPDkCwGX7+Mq1Pm5lRStH6PVbRVUQ2+FPcO+
	B0qXcFnEpvw+isUOlIOGf0vHAl1rYoCt7JroV5SnP/ez11jnRGgC9/iThn6SoMK3
	uuln/84RExdO/Urphnkep1XqvGz+x2/UB3Q==
X-ME-Sender: <xms:youmaQi1E4RPltOU8hm-9GQvZ00InGVWAsdX51sR6jZ1Lfs0rLsDNA>
    <xme:youmafDj_JwCMuJ0zZM9TQx5Mv2sSuNZTtl2SZI5vvcmzwpwN8Jkmx-H470-NEe6_
    ksM7f_77bVpVA-Clj9vReODpuTcCxTSj0ptNqXILMoBVHnZ8ynbDQ>
X-ME-Received: <xmr:youmaVuj_4FJdDfl3YZ88TaqFSlQ01HXtJo_3yDnfx0qYYmKWalEOPUc84WMNX8o>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvheelleeiucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdlfeehmdenucfjughrpeffhffvuf
    fkfhggtggujgesghdtreertddtvdenucfhrhhomhepofhitghhrggvlhcurfgrqhhuihgv
    rhcuoehmihgthhgrvghlsehprghquhhivghrrdighiiiqeenucggtffrrghtthgvrhhnpe
    etudfgteeuleethfdtfeeihffgtdetffekieelieeijeejteethfejtdetfeefkeenucff
    ohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrg
    hrrghmpehmrghilhhfrhhomhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiihiidpnhgs
    pghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepshhtrghsoh
    hsvdegsehgmhgrihhlrdgtohhmpdhrtghpthhtohepphhgshhqlhdqsghughhssehlihhs
    thhsrdhpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:youmacaYWrA-IIVQ-LRdjJEjiGtXpFpg6Tahma2ebAzoORjuaqcw_A>
    <xmx:youmaQVuI_B_M1Cc1S7lazpj61kdLZ5dju4O4j7c-llseevvJ_AnWQ>
    <xmx:youmaY5BInTwFpqEwVkJ2kuMjh4gZ7Y_bVX4DPaXGmK3bC6NeWiQJg>
    <xmx:youmaTgw-KeDTufaFq7J3Ab59_mlrY4cR9VUmW5DA8mfADqfjHrm-g>
    <xmx:y4umaXyn1EA0E5a0zwNEbMNXixgDrRFndHY5zSVDeydvJUKU3dVtEIXz>
Feedback-ID: i0fe9450f:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 3 Mar 2026 02:20:41 -0500 (EST)
Date: Tue, 3 Mar 2026 16:20:37 +0900
From: Michael Paquier <michael@paquier.xyz>
To: stasos24@gmail.com, pgsql-bugs@lists.postgresql.org
Subject: Re: BUG #19422: Malformed raius packet
Message-ID: <aaaLxQySNOxF-lr2@paquier.xyz>
References: <19422-bdaba8a639a0c911@postgresql.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="o6thQwzrPtYbA5Rp"
Content-Disposition: inline
In-Reply-To: <19422-bdaba8a639a0c911@postgresql.org>
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/aaaLxQySNOxF-lr2%40paquier.xyz>
Precedence: bulk


--o6thQwzrPtYbA5Rp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Mar 02, 2026 at 09:04:14AM +0000, PG Bug reporting form wrote:
> User may overflow attr->length (uint8) by sending user_name with length of
> 254 that would led to overwriting user_name attribute and to incorrect
> computation of packet->length by next call of radius_add_attribute
> [https://github.com/postgres/postgres/blob/386ca3908de28dd882a62b8f97a329db07b23138/src/backend/libpq/auth.c#L3013]
> Even though it overflows only in bounds of array, it may have negative
> affect in the future.

Fun, due to the increment of 2 added a couple of lines down.  There is
an overflow calculation.  There is nothing critical here.

Looking at RFC 2865, there is nothing about a limit of size for the
attributes.  This means that we are only limited by our
RADIUS_BUFFER_SIZE.  Hence, we could bump radius_attribute.length to
uint16 and add some casts in the check for RADIUS_BUFFER_SIZE so as
we don't overflow the addition before adding an attribute to the
packet?  On the other hand, we could aim for simpler and just reject
any attributes larger than 255 bytes.  I doubt that anybody would be
insane enough to use fields larger than that 255 bytes anyway.  Both
solutions are equal in simplicity here.

Thoughts?
--
Michael

--o6thQwzrPtYbA5Rp
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmmmi8UACgkQnvQgOdby
QH1fTA/9EOAJjqrNsY09d75Ws5OITW+uy+P7QNStrnqa7Arat/skMan/myA7m538
kxAlz4fGhbsshjDuqAi/LMHHMVyJiLz3jbnYtgbJFy2M6m7rbJE8Whlm4aoZjfmV
e2QIW+EcXdMBCK224J2YbPW/C97yux4q79MG80zsnoUOwfhfq0TydNljllSqOGCn
skd3l+AcK97I7v4AKvN6FxpcMHf1n5crJYg6hQxGbMS6VeMquUThq0NSXORX5crw
RPVNO087/MP60U/xHzJazNjKIFF9Yn0amxqAoP3CS+PPR2ynp/7IO0txfk9CZYR8
XVbpEsfV/HUhvCZnPErV+MvSe8DFQSUZB3s6XPCVdP7UfhcovDvLiLMYT8+uAAIK
ZPeOK+NZSCldLmAuW8I9Qa5Ajtx0JehOj4OJsoNbEqhSOLkqN8DSvsiO9jY0Igin
AbvAt/KBoOQHAbgjWilyczu/qU8f5h+wqFC/FE3kbtwcKsRVE5ajIg6AJDhr9EQs
2Z08TviUaPTnlcb6lLTz6WM5fGlgEfs1OwzugRPfMuYfm+QxuhUuoAUxpGA0Qd7B
JKolb+SJDX5rFW/i60bFlKiPivddPeX39Oo8oJ7uZDGiQxdCbzXEY8M8OaEcAJIe
I6G1WzSW1qR8x/Akrflwu2CJkT1i2yBn/c419TFagj4fJfA30G4=
=PiZm
-----END PGP SIGNATURE-----

--o6thQwzrPtYbA5Rp--