diff options
| author | Tom Lane | 2015-01-24 18:05:42 +0000 |
|---|---|---|
| committer | Tom Lane | 2015-01-24 18:05:42 +0000 |
| commit | 586dd5d6a5d59e406bc8032bb52625ffb904311c (patch) | |
| tree | b47c5e9038b75bd100e507f8ba3c7dc92e50d603 /contrib | |
| parent | 9222cd84b0f227287f65df395d52dc7973a62d29 (diff) | |
Replace a bunch more uses of strncpy() with safer coding.
strncpy() has a well-deserved reputation for being unsafe, so make an
effort to get rid of nearly all occurrences in HEAD.
A large fraction of the remaining uses were passing length less than or
equal to the known strlen() of the source, in which case no null-padding
can occur and the behavior is equivalent to memcpy(), though doubtless
slower and certainly harder to reason about. So just use memcpy() in
these cases.
In other cases, use either StrNCpy() or strlcpy() as appropriate (depending
on whether padding to the full length of the destination buffer seems
useful).
I left a few strncpy() calls alone in the src/timezone/ code, to keep it
in sync with upstream (the IANA tzcode distribution). There are also a
few such calls in ecpg that could possibly do with more analysis.
AFAICT, none of these changes are more than cosmetic, except for the four
occurrences in fe-secure-openssl.c, which are in fact buggy: an overlength
source leads to a non-null-terminated destination buffer and ensuing
misbehavior. These don't seem like security issues, first because no stack
clobber is possible and second because if your values of sslcert etc are
coming from untrusted sources then you've got problems way worse than this.
Still, it's undesirable to have unpredictable behavior for overlength
inputs, so back-patch those four changes to all active branches.
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/fuzzystrmatch/dmetaphone.c | 2 | ||||
| -rw-r--r-- | contrib/isn/isn.c | 8 | ||||
| -rw-r--r-- | contrib/pg_trgm/trgm_regexp.c | 2 | ||||
| -rw-r--r-- | contrib/pgbench/pgbench.c | 2 | ||||
| -rw-r--r-- | contrib/pgcrypto/crypt-des.c | 3 | ||||
| -rw-r--r-- | contrib/xml2/xpath.c | 2 |
6 files changed, 9 insertions, 10 deletions
diff --git a/contrib/fuzzystrmatch/dmetaphone.c b/contrib/fuzzystrmatch/dmetaphone.c index b1f8b78d3be..7c8457e7344 100644 --- a/contrib/fuzzystrmatch/dmetaphone.c +++ b/contrib/fuzzystrmatch/dmetaphone.c @@ -247,7 +247,7 @@ NewMetaString(char *init_str) META_MALLOC(s->str, s->bufsize, char); assert(s->str != NULL); - strncpy(s->str, init_str, s->length + 1); + memcpy(s->str, init_str, s->length + 1); s->free_string_on_destroy = 1; return s; diff --git a/contrib/isn/isn.c b/contrib/isn/isn.c index 903b9378d84..5fbd253491a 100644 --- a/contrib/isn/isn.c +++ b/contrib/isn/isn.c @@ -825,18 +825,18 @@ string2ean(const char *str, bool errorOK, ean13 *result, goto eanwrongtype; break; case ISMN: - strncpy(buf, "9790", 4); /* this isn't for sure yet, for now + memcpy(buf, "9790", 4); /* this isn't for sure yet, for now * ISMN it's only 9790 */ valid = (valid && ((rcheck = checkdig(buf, 13)) == check || magic)); break; case ISBN: - strncpy(buf, "978", 3); + memcpy(buf, "978", 3); valid = (valid && ((rcheck = weight_checkdig(buf + 3, 10)) == check || magic)); break; case ISSN: - strncpy(buf + 10, "00", 2); /* append 00 as the normal issue + memcpy(buf + 10, "00", 2); /* append 00 as the normal issue * publication code */ - strncpy(buf, "977", 3); + memcpy(buf, "977", 3); valid = (valid && ((rcheck = weight_checkdig(buf + 3, 8)) == check || magic)); break; case UPC: diff --git a/contrib/pg_trgm/trgm_regexp.c b/contrib/pg_trgm/trgm_regexp.c index 529e1dbfe97..a91e6186bae 100644 --- a/contrib/pg_trgm/trgm_regexp.c +++ b/contrib/pg_trgm/trgm_regexp.c @@ -877,7 +877,7 @@ convertPgWchar(pg_wchar c, trgm_mb_char *result) #endif /* Fill result with exactly MAX_MULTIBYTE_CHAR_LEN bytes */ - strncpy(result->bytes, s, MAX_MULTIBYTE_CHAR_LEN); + memcpy(result->bytes, s, MAX_MULTIBYTE_CHAR_LEN); return true; } diff --git a/contrib/pgbench/pgbench.c b/contrib/pgbench/pgbench.c index 25616ceff67..ddd11a09c5b 100644 --- a/contrib/pgbench/pgbench.c +++ b/contrib/pgbench/pgbench.c @@ -829,7 +829,7 @@ replaceVariable(char **sql, char *param, int len, char *value) if (valueln != len) memmove(param + valueln, param + len, strlen(param + len) + 1); - strncpy(param, value, valueln); + memcpy(param, value, valueln); return param + valueln; } diff --git a/contrib/pgcrypto/crypt-des.c b/contrib/pgcrypto/crypt-des.c index 4ed44beeff5..b43141fed5c 100644 --- a/contrib/pgcrypto/crypt-des.c +++ b/contrib/pgcrypto/crypt-des.c @@ -708,7 +708,7 @@ px_crypt_des(const char *key, const char *setting) if (des_setkey((char *) keybuf)) return (NULL); } - strncpy(output, setting, 9); + StrNCpy(output, setting, 10); /* * Double check that we weren't given a short setting. If we were, the @@ -716,7 +716,6 @@ px_crypt_des(const char *key, const char *setting) * salt, but we don't really care. Just make sure the output string * doesn't have an extra NUL in it. */ - output[9] = '\0'; p = output + strlen(output); } else diff --git a/contrib/xml2/xpath.c b/contrib/xml2/xpath.c index f57b81302f3..655c5322cdf 100644 --- a/contrib/xml2/xpath.c +++ b/contrib/xml2/xpath.c @@ -327,7 +327,7 @@ xpath_string(PG_FUNCTION_ARGS) /* We could try casting to string using the libxml function? */ xpath = (xmlChar *) palloc(pathsize + 9); - strncpy((char *) xpath, "string(", 7); + memcpy((char *) xpath, "string(", 7); memcpy((char *) (xpath + 7), VARDATA(xpathsupp), pathsize); xpath[pathsize + 7] = ')'; xpath[pathsize + 8] = '\0'; |