diff options
| author | Pavan Deolasee | 2010-12-02 06:51:42 +0000 |
|---|---|---|
| committer | Pavan Deolasee | 2011-05-19 16:45:24 +0000 |
| commit | 4d5d43f2fe273c4c7b1a45176267085b39a0de61 (patch) | |
| tree | e83fb1c5f7a08ad793559dfa52345341bd9da41d | |
| parent | 1d1e22b48ec2df8e32a70867fbd76fc4e0d8e203 (diff) | |
Check for buffer overflow while constructing gtm/gtm_proxy start/stop commands.
In passing, also fix another bug where an uninitialized var was being used.
Bug report and patch by Xiong Wang (Benny) with some tweaks by me
| -rw-r--r-- | src/gtm/gtm_ctl/gtm_ctl.c | 45 | ||||
| -rw-r--r-- | src/gtm/libpq/pqformat.c | 26 |
2 files changed, 38 insertions, 33 deletions
diff --git a/src/gtm/gtm_ctl/gtm_ctl.c b/src/gtm/gtm_ctl/gtm_ctl.c index 3b01796484..46d9364e6b 100644 --- a/src/gtm/gtm_ctl/gtm_ctl.c +++ b/src/gtm/gtm_ctl/gtm_ctl.c @@ -246,26 +246,52 @@ static int start_gtm(void) { char cmd[MAXPGPATH]; + char gtm_app_path[MAXPGPATH]; + int len; + /* * Since there might be quotes to handle here, it is easier simply to pass * everything to a shell to process them. */ + memset(gtm_app_path, 0, MAXPGPATH); + memset(cmd, 0, MAXPGPATH); + + /* + * Construct gtm binary path. We should leave one byte at the end for '\0' + */ + len = 0; if (gtm_path != NULL) { - strcat(gtm_path, "/"); - strcat(gtm_path, gtm_app); + strncpy(gtm_app_path, gtm_path, MAXPGPATH - len - 1); + + len = strlen(gtm_app_path); + strncat(gtm_app_path, "/", MAXPGPATH - len - 1); + + len = strlen(gtm_app_path); } - else - gtm_path = gtm_app; + + if (strlen(gtm_app) >= (MAXPGPATH - len - 1)) + { + write_stderr("gtm command exceeds max size"); + exit(1); + } + + strncat(gtm_app_path, gtm_app, MAXPGPATH - len - 1); if (log_file != NULL) - snprintf(cmd, MAXPGPATH, SYSTEMQUOTE "\"%s\" %s%s < \"%s\" >> \"%s\" 2>&1 &" SYSTEMQUOTE, - gtm_path, gtmdata_opt, gtm_opts, + len = snprintf(cmd, MAXPGPATH - 1, SYSTEMQUOTE "\"%s\" %s%s < \"%s\" >> \"%s\" 2>&1 &" SYSTEMQUOTE, + gtm_app_path, gtmdata_opt, gtm_opts, DEVNULL, log_file); else - snprintf(cmd, MAXPGPATH, SYSTEMQUOTE "\"%s\" %s%s < \"%s\" 2>&1 &" SYSTEMQUOTE, - gtm_path, gtmdata_opt, gtm_opts, DEVNULL); + len = snprintf(cmd, MAXPGPATH - 1, SYSTEMQUOTE "\"%s\" %s%s < \"%s\" 2>&1 &" SYSTEMQUOTE, + gtm_app_path, gtmdata_opt, gtm_opts, DEVNULL); + + if (len >= MAXPGPATH - 1) + { + write_stderr("gtm command exceeds max size"); + exit(1); + } return system(cmd); } @@ -376,14 +402,13 @@ read_gtm_opts(void) { int len; char *optline; - char *arg1; optline = optlines[0]; /* trim off line endings */ len = strcspn(optline, "\r\n"); optline[len] = '\0'; - gtm_opts = arg1; + gtm_opts = optline; } } } diff --git a/src/gtm/libpq/pqformat.c b/src/gtm/libpq/pqformat.c index 339f50a995..41ef1056a3 100644 --- a/src/gtm/libpq/pqformat.c +++ b/src/gtm/libpq/pqformat.c @@ -134,20 +134,9 @@ pq_sendcountedtext(StringInfo buf, const char *str, int slen, bool countincludesself) { int extra = countincludesself ? 4 : 0; - char *p; - if (p != str) /* actual conversion has been done? */ - { - slen = strlen(p); - pq_sendint(buf, slen + extra, 4); - appendBinaryStringInfo(buf, p, slen); - pfree(p); - } - else - { - pq_sendint(buf, slen + extra, 4); - appendBinaryStringInfo(buf, str, slen); - } + pq_sendint(buf, slen + extra, 4); + appendBinaryStringInfo(buf, str, slen); } /* -------------------------------- @@ -163,16 +152,7 @@ pq_sendcountedtext(StringInfo buf, const char *str, int slen, void pq_sendtext(StringInfo buf, const char *str, int slen) { - char *p; - - if (p != str) /* actual conversion has been done? */ - { - slen = strlen(p); - appendBinaryStringInfo(buf, p, slen); - pfree(p); - } - else - appendBinaryStringInfo(buf, str, slen); + appendBinaryStringInfo(buf, str, slen); } /* -------------------------------- |