public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jacob Champion <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: oauth integer overflow
Date: Fri, 5 Jun 2026 12:06:27 -0700
Message-ID: <CAOYmi+kKqSrU5c8D60rgSj6ybiNwsZkxgTJhef+w0-mRpw=m0A@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <qtclihmrkq67ach3xjxyi4qcksstin5qxwsnkqefkmotxwh4g6@ae2bj6jvcmry>
<[email protected]>
<CAOYmi+n4U_g+k1Bfs2eavJdps0qQj3HFDa5i3V1c0m3CLYUWhA@mail.gmail.com>
<[email protected]>
<CAOYmi+k6K6VKTZLPtQLHnoSSMRZfH_=x6bHRUC3zf1F9kjyb1Q@mail.gmail.com>
<fcaddr2zt4q7ee5mm7vctb723pcgfjpyo2hnhjhgae2nysobjf@epjk3wl4i2ck>
<CAOYmi+mGZ5H+k_Y-ascgK7X9snAGdBUOuc=FZRxu6gnB_mjFFQ@mail.gmail.com>
<[email protected]>
On Thu, Apr 23, 2026 at 11:31 AM Jacob Champion
<[email protected]> wrote:
> Attached. The static_assert for the millisecond calculation is the
> only part I don't really like, but doing an overflow check on a
> calculation that can't overflow int64 is even more verbose/wasteful.
I was preparing to commit this for beta1 last week, and I realized
that I've changed my tune. With all the recent backports of overflow
checks, I think I need to be reaching for them by default, especially
in a non-performance-critical path.
v2 rewrites that part with a checked multiplication, which removes any
need for a static_assert complication.
On Tue, Apr 28, 2026 at 4:18 AM Daniel Gustafsson <[email protected]> wrote:
> When teading "disabled timer" I interpret that as a timer which is 0 and has no
> interval (which might be due to not being a native speaker), but what it
> actually describes is an interval which (in practice) never ends. Perhaps it
> could be phrased more like "for most people is going to be equivalent to a
> never ending interval".
This has been completely rewritten now; see what you think.
Thanks!
--Jacob
Attachments:
[application/octet-stream] v2-0001-libpq-oauth-Avoid-overflow-for-very-large-interva.patch (3.4K, 2-v2-0001-libpq-oauth-Avoid-overflow-for-very-large-interva.patch)
download | inline diff:
From d6d3a851e73fede3b3d601f735e099d3206c5cff Mon Sep 17 00:00:00 2001
From: Jacob Champion <[email protected]>
Date: Fri, 29 May 2026 16:21:46 -0700
Subject: [PATCH v2] libpq-oauth: Avoid overflow for very large intervals
The slow_down interval parsing code checks explicitly for overflow, but
since it does that after the signed overflow has already occurred, we
end up inviting undefined behavior from the compiler anyway.
Use checked arithmetic instead. set_timer() takes a long int in order to
interface nicely with libcurl, so use an int32 as the interval counter
and clamp to LONG_MAX during conversion to milliseconds.
Backpatch to 18, where libpq-oauth was introduced.
Reported-by: Andres Freund <[email protected]>
Reviewed-by: Daniel Gustafsson <[email protected]>
Discussion: https://postgr.es/m/qtclihmrkq67ach3xjxyi4qcksstin5qxwsnkqefkmotxwh4g6%40ae2bj6jvcmry
Backpatch-through: 18
---
src/interfaces/libpq-oauth/oauth-curl.c | 35 ++++++++++++++++++-------
1 file changed, 25 insertions(+), 10 deletions(-)
diff --git a/src/interfaces/libpq-oauth/oauth-curl.c b/src/interfaces/libpq-oauth/oauth-curl.c
index 7ba75fc6d04..260137291cb 100644
--- a/src/interfaces/libpq-oauth/oauth-curl.c
+++ b/src/interfaces/libpq-oauth/oauth-curl.c
@@ -28,6 +28,7 @@
#error libpq-oauth is not supported on this platform
#endif
+#include "common/int.h"
#include "common/jsonapi.h"
#include "mb/pg_wchar.h"
#include "oauth-curl.h"
@@ -136,7 +137,7 @@ struct device_authz
/* Fields below are parsed from the corresponding string above. */
int expires_in;
- int interval;
+ int32 interval;
};
static void
@@ -1020,7 +1021,7 @@ parse_json_number(const char *s)
* expensive network polling loop.) Tests may remove the lower bound with
* PGOAUTHDEBUG, for improved performance.
*/
-static int
+static int32
parse_interval(struct async_ctx *actx, const char *interval_str)
{
double parsed;
@@ -1031,8 +1032,8 @@ parse_interval(struct async_ctx *actx, const char *interval_str)
if (parsed < 1)
return (actx->debug_flags & OAUTHDEBUG_UNSAFE_DOS_ENDPOINT) ? 0 : 1;
- else if (parsed >= INT_MAX)
- return INT_MAX;
+ else if (parsed >= INT32_MAX)
+ return INT32_MAX;
return parsed;
}
@@ -2620,10 +2621,7 @@ handle_token_response(struct async_ctx *actx, char **token)
*/
if (strcmp(err->error, "slow_down") == 0)
{
- int prev_interval = actx->authz.interval;
-
- actx->authz.interval += 5;
- if (actx->authz.interval < prev_interval)
+ if (pg_add_s32_overflow(actx->authz.interval, 5, &actx->authz.interval))
{
actx_error(actx, "slow_down interval overflow");
goto token_cleanup;
@@ -2949,8 +2947,25 @@ pg_fe_run_oauth_flow_impl(PGconn *conn, PGoauthBearerRequestV2 *request,
* Wait for the required interval before issuing the next
* request.
*/
- if (!set_timer(actx, actx->authz.interval * 1000))
- goto error_return;
+ {
+ /*
+ * Avoid overflow of long int. (By the time we reach
+ * LONG_MAX milliseconds -- 24 days on 32-bit platforms --
+ * continuing to honor slow_down requests seems pretty
+ * pointless anyway.)
+ */
+ int64 interval_ms;
+
+ if (pg_mul_s64_overflow(actx->authz.interval, 1000,
+ &interval_ms)
+ || (interval_ms > LONG_MAX))
+ {
+ interval_ms = LONG_MAX;
+ }
+
+ if (!set_timer(actx, (long) interval_ms))
+ goto error_return;
+ }
/*
* No Curl requests are running, so we can simplify by having
--
2.34.1
view thread (10+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: oauth integer overflow
In-Reply-To: <CAOYmi+kKqSrU5c8D60rgSj6ybiNwsZkxgTJhef+w0-mRpw=m0A@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox