From 505b5d2f8672f13c98dd744a6d421da14f59cd39 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Thu, 25 May 2017 08:50:47 -0400
Subject: [PATCH] Abort authentication if the client selected an invalid SASL
 mechanism.

Previously, the server would log an error, but then try to continue with
SCRAM-SHA-256 anyway.

Michael Paquier

Discussion: https://www.postgresql.org/message-id/CAB7nPqR0G5aF2_kc_LH29knVqwvmBc66TF5DicvpGVdke68nKw@mail.gmail.com
---
 src/backend/libpq/auth.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index c895ba0c32..5b68e3b7a1 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -934,9 +934,13 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 			 */
 			selected_mech = pq_getmsgrawstring(&buf);
 			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			{
 				ereport(COMMERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 errmsg("client selected an invalid SASL authentication mechanism")));
+				pfree(buf.data);
+				return STATUS_ERROR;
+			}
 
 			inputlen = pq_getmsgint(&buf, 4);
 			if (inputlen == -1)
-- 
2.40.0