diff options
| author | Tomas Vondra | 2018-10-11 14:51:09 +0000 |
|---|---|---|
| committer | Tomas Vondra | 2018-10-11 14:51:09 +0000 |
| commit | 332250d176df9fcf27c0fa9be312dab1e1f49d42 (patch) | |
| tree | aaabf16101e6a244a554be91a5e942e33e246036 /contrib/btree_gist/btree_gist.c | |
| parent | 81d499591b2ca1ae17917667765c5bcff19f012d (diff) | |
Use dynamic buffer to parse NODE_LIST_RESULT in GTM
When processing NODE_LIST_RESULT messages, gtmpqParseSuccess() used
a static buffer, defined as "char buf[8092]". This is an issue, as
the message has variable length, and may get long enough to exceed
any hard-coded limit. While that's not very common (it requires
long paths, node names and/or many GTM sessions on the node), it
may happen, in which case the memcpy() causes a buffer overflow and
corrupts the stack.
Fixing this is simple - allocate the buffer using malloc() intead,
requesting exactly the right amount of memory. This however hits
a latent pre-existing issue in the code, because the code was doing
memcpy(&buf,...) instead of memcpy(buf,...). With static buffers
this was harmless, because (buf == &buf), so the code was working
as intended (except when there were more than 8092 bytes). With
dynamic memory this is no longer true, becase (buf != &buf), and
the stack corruption was much easier to trigger (just 8 bytes).
Per report and debug info by Hengbing. Patch by Pavan and me.
Diffstat (limited to 'contrib/btree_gist/btree_gist.c')
0 files changed, 0 insertions, 0 deletions