diff options
author | Pavan Deolasee | 2016-01-19 03:36:04 +0000 |
---|---|---|
committer | Pavan Deolasee | 2016-10-18 09:42:41 +0000 |
commit | aa3efb4e0b8286a96ff7cd0b8aab074d2526bfed (patch) | |
tree | 14c6fafce2d77499117b32fb228f926c65376029 | |
parent | e45711cf93664137a00d99fcbb886e845a92a4a2 (diff) |
Fix various potential buffer overflows which got exposed after we recently
increased GIDSIZE
Per report by Tobias Oberstein
-rw-r--r-- | contrib/pgxc_clean/pgxc_clean.c | 2 | ||||
-rw-r--r-- | src/backend/pgxc/pool/execRemote.c | 13 | ||||
-rw-r--r-- | src/gtm/main/gtm_txn.c | 8 |
3 files changed, 17 insertions, 6 deletions
diff --git a/contrib/pgxc_clean/pgxc_clean.c b/contrib/pgxc_clean/pgxc_clean.c index 911bebc520..d96cdf85fd 100644 --- a/contrib/pgxc_clean/pgxc_clean.c +++ b/contrib/pgxc_clean/pgxc_clean.c @@ -509,7 +509,7 @@ do_commit_abort(PGconn *conn, txn_info *txn, bool is_commit) int ii; static const char *EXEC_DIRECT_STMT_FMT = "EXECUTE DIRECT ON (%s) '%s PREPARED ''%s'';';"; static const char *GLOBAL_STMT_FMT = "%s PREPARED '%s';"; - char stmt[1024]; + char *stmt = (char *) malloc (64 + strlen(txn->xid)); PGresult *res; ExecStatusType res_status; diff --git a/src/backend/pgxc/pool/execRemote.c b/src/backend/pgxc/pool/execRemote.c index a562352841..717208a5f1 100644 --- a/src/backend/pgxc/pool/execRemote.c +++ b/src/backend/pgxc/pool/execRemote.c @@ -2063,8 +2063,8 @@ pgxc_node_remote_prepare(char *prepareGID, bool localNode) { bool isOK = true; StringInfoData nodestr; - char prepare_cmd[256]; - char abort_cmd[256]; + char *prepare_cmd = (char *) palloc (64 + strlen(prepareGID)); + char *abort_cmd; GlobalTransactionId auxXid; char *commit_cmd = "COMMIT TRANSACTION"; int i; @@ -2300,8 +2300,11 @@ pgxc_node_remote_prepare(char *prepareGID, bool localNode) } } + pfree(prepare_cmd); return nodestr.data; + prepare_err: + abort_cmd = (char *) palloc (64 + strlen(abort_cmd)); sprintf(abort_cmd, "ROLLBACK PREPARED '%s'", prepareGID); auxXid = GetAuxilliaryTransactionId(); @@ -2407,6 +2410,7 @@ prepare_err: } pfree_pgxc_all_handles(handles); + pfree(abort_cmd); /* * If the flag is set we are here because combiner carries error message @@ -4181,7 +4185,7 @@ pgxc_node_remote_finish(char *prepareGID, bool commit, char *nodestring, GlobalTransactionId gxid, GlobalTransactionId prepare_gxid) { - char finish_cmd[256]; + char *finish_cmd; PGXCNodeHandle *connections[MaxCoords + MaxDataNodes]; int conn_count = 0; ResponseCombiner combiner; @@ -4229,6 +4233,8 @@ pgxc_node_remote_finish(char *prepareGID, bool commit, pgxc_handles = get_handles(nodelist, coordlist, false, true); + finish_cmd = (char *) palloc(64 + strlen(prepareGID)); + if (commit) sprintf(finish_cmd, "COMMIT PREPARED '%s'", prepareGID); else @@ -4320,6 +4326,7 @@ pgxc_node_remote_finish(char *prepareGID, bool commit, } pfree_pgxc_all_handles(pgxc_handles); + pfree(finish_cmd); return prepared_local; } diff --git a/src/gtm/main/gtm_txn.c b/src/gtm/main/gtm_txn.c index 7db191a393..f6453532a6 100644 --- a/src/gtm/main/gtm_txn.c +++ b/src/gtm/main/gtm_txn.c @@ -1981,7 +1981,7 @@ void ProcessGetGIDDataTransactionCommand(Port *myport, StringInfo message) { StringInfoData buf; - char gid[1024]; + char *gid; char *nodestring = NULL; int gidlen; GTM_IsolationLevel txn_isolation_level; @@ -1996,6 +1996,7 @@ ProcessGetGIDDataTransactionCommand(Port *myport, StringInfo message) /* receive GID */ gidlen = pq_getmsgint(message, sizeof (GTM_StrLen)); + gid = (char *) palloc(gidlen + 1); memcpy(gid, (char *)pq_getmsgbytes(message, gidlen), gidlen); gid[gidlen] = '\0'; @@ -2096,6 +2097,7 @@ retry: /* No backup to the standby because this does not change internal status */ if (myport->remote_type != GTM_NODE_GTM_PROXY) pq_flush(myport); + pfree(gid); return; } /* @@ -2441,7 +2443,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is GTM_StrLen gidlen, nodelen; char nodestring[1024]; MemoryContext oldContext; - char gid[1024]; + char *gid; const char *data = pq_getmsgbytes(message, sizeof (gxid)); if (data == NULL) @@ -2453,6 +2455,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is /* get GID */ gidlen = pq_getmsgint(message, sizeof (GTM_StrLen)); + gid = (char *) palloc(gidlen + 1); memcpy(gid, (char *)pq_getmsgbytes(message, gidlen), gidlen); gid[gidlen] = '\0'; @@ -2523,6 +2526,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is } } + pfree(gid); return; } |