Re: Fix infinite loop from setting scram_iterations to INT_MAX

Richard Guo <guofenglinux@gmail.com>

From: Richard Guo <guofenglinux@gmail.com>
To: Kevin K Biju <kevinkbiju@gmail.com>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2025-03-24T00:50:36Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Fix integer-overflow problem in scram_SaltedPassword()

On Sun, Mar 23, 2025 at 10:41 PM Kevin K Biju <kevinkbiju@gmail.com> wrote:
> int i;
> ...
> for (i = 2; i <= iterations; i++)
> {
>     ...
> }
>
> For iterations = INT_MAX, the loop will never terminate since the condition is <= and adding 1 to INT_MAX will lead to i wrapping around to INT_MIN.
>
> I've fixed this by modifying the loop condition to be i < iterations. I've attached a patch with the fix. I considered adding a test as well, but since generating a password with a high number of iterations is very time-consuming, I'm not sure if that would be practical.

Nice catch.  The fix looks good to me.  It seems to me that it's fine
to go without a test case, since the fix is quite straightforward.

Thanks
Richard