diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 1b27d0a5479..5a3d6fdb5a3 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1506,10 +1506,10 @@ SELCT 1/0; The frontend should also be prepared to handle an ErrorMessage - response to SSLRequest from the server. This would only occur if - the server predates the addition of SSL support - to PostgreSQL. (Such servers are now very ancient, - and likely do not exist in the wild anymore.) + response to SSLRequest from the server. The frontend should not display + this error message to the user/application, since the server has not been + authenticated + (CVE-2024-10977). In this case the connection must be closed, but the frontend might choose to open a fresh connection and proceed without requesting SSL. @@ -1619,12 +1619,13 @@ SELCT 1/0; The frontend should also be prepared to handle an ErrorMessage - response to GSSENCRequest from the server. This would only occur if - the server predates the addition of GSSAPI encryption - support to PostgreSQL. In this case the - connection must be closed, but the frontend might choose to open a fresh - connection and proceed without requesting GSSAPI - encryption. + response to GSSENCRequest from the server. The frontend should not display + this error message to the user/application, since the server has not been + authenticated + (CVE-2024-10977). + In this case the connection must be closed, but the frontend might choose + to open a fresh connection and proceed without requesting + GSSAPI encryption. diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index e69a5f5be3c..2f87961a71e 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -3512,22 +3512,12 @@ keep_going: /* We will come back to here until there is { /* * Server failure of some sort, such as failure to - * fork a backend process. We need to process and - * report the error message, which might be formatted - * according to either protocol 2 or protocol 3. - * Rather than duplicate the code for that, we flip - * into AWAITING_RESPONSE state and let the code there - * deal with it. Note we have *not* consumed the "E" - * byte here. + * fork a backend process. Don't bother retrieving + * the error message; we should not trust it as the + * server has not been authenticated yet. */ - conn->status = CONNECTION_AWAITING_RESPONSE; - - /* - * Don't fall back to a plaintext connection after - * reading the error. - */ - conn->failed_enc_methods |= conn->allowed_enc_methods & (~conn->current_enc_method); - goto keep_going; + libpq_append_conn_error(conn, "server sent an error response during SSL exchange"); + goto error_return; } else { @@ -3611,13 +3601,9 @@ keep_going: /* We will come back to here until there is { /* * Server failure of some sort, possibly protocol - * version support failure. We need to process and - * report the error message, which might be formatted - * according to either protocol 2 or protocol 3. - * Rather than duplicate the code for that, we flip - * into AWAITING_RESPONSE state and let the code there - * deal with it. Note we have *not* consumed the "E" - * byte here. + * version support failure. Don't bother retrieving + * the error message; we should not trust it anyway as + * the server has not authenticated yet. * * Note that unlike on an error response to * SSLRequest, we allow falling back to SSL or @@ -3626,8 +3612,8 @@ keep_going: /* We will come back to here until there is * response might mean that we are connecting to a * pre-v12 server. */ - conn->status = CONNECTION_AWAITING_RESPONSE; - goto keep_going; + libpq_append_conn_error(conn, "server sent an error response during GSS encryption exchange"); + CONNECTION_FAILED(); } /* mark byte consumed */