Abort authentication if the client selected an invalid SASL mechanism.

Previously, the server would log an error, but then try to continue with
SCRAM-SHA-256 anyway.

Michael Paquier

Discussion: https://www.postgresql.org/message-id/CAB7nPqR0G5aF2_kc_LH29knVqwvmBc66TF5DicvpGVdke68nKw@mail.gmail.com

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index c895ba0c326f8dd571c4b4db9536b469d3df4918..5b68e3b7a16d3e50cb3427a3b8c7f63092a8c853 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -934,9 +934,13 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
             */
            selected_mech = pq_getmsgrawstring(&buf);
            if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+           {
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("client selected an invalid SASL authentication mechanism")));
+               pfree(buf.data);
+               return STATUS_ERROR;
+           }
 
            inputlen = pq_getmsgint(&buf, 4);
            if (inputlen == -1)