Fix integer-overflow problem in scram_SaltedPassword()

Richard Guo · Richard Guo · commit 7c82b4f71187 · 2025-03-26T17:46:51.000+09:00
Setting the iteration count for SCRAM secret generation to INT_MAX will cause an infinite loop in scram_SaltedPassword() due to integer overflow, as the loop uses the "i <= iterations" comparison. To fix, use "i < iterations" instead. Back-patch to v16 where the user-settable GUC scram_iterations has been added. Author: Kevin K Biju <kevinkbiju@gmail.com> Reviewed-by: Richard Guo <guofenglinux@gmail.com> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://postgr.es/m/CAM45KeEMm8hnxdTOxA98qhfZ9CzGDdgy3mxgJmy0c+2WwjA6Zg@mail.gmail.com
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
@@ -74,7 +74,7 @@ scram_SaltedPassword(const char *password,
 	memcpy(result, Ui_prev, key_length);
 
 	/* Subsequent iterations */
-	for (i = 2; i <= iterations; i++)
+	for (i = 1; i < iterations; i++)
 	{
 #ifndef FRONTEND
 		/*

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ scram_SaltedPassword(const char *password,`
`74`	`74`	`memcpy(result, Ui_prev, key_length);`
`75`	`75`
`76`	`76`	`/* Subsequent iterations */`
`77`		`- for (i = 2; i <= iterations; i++)`
	`77`	`+ for (i = 1; i < iterations; i++)`
`78`	`78`	`{`
`79`	`79`	`#ifndef FRONTEND`
`80`	`80`	`/*`