summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPavan Deolasee2016-01-19 03:36:04 +0000
committerPavan Deolasee2016-10-18 09:42:41 +0000
commitaa3efb4e0b8286a96ff7cd0b8aab074d2526bfed (patch)
tree14c6fafce2d77499117b32fb228f926c65376029
parente45711cf93664137a00d99fcbb886e845a92a4a2 (diff)
Fix various potential buffer overflows which got exposed after we recently
increased GIDSIZE Per report by Tobias Oberstein
-rw-r--r--contrib/pgxc_clean/pgxc_clean.c2
-rw-r--r--src/backend/pgxc/pool/execRemote.c13
-rw-r--r--src/gtm/main/gtm_txn.c8
3 files changed, 17 insertions, 6 deletions
diff --git a/contrib/pgxc_clean/pgxc_clean.c b/contrib/pgxc_clean/pgxc_clean.c
index 911bebc520..d96cdf85fd 100644
--- a/contrib/pgxc_clean/pgxc_clean.c
+++ b/contrib/pgxc_clean/pgxc_clean.c
@@ -509,7 +509,7 @@ do_commit_abort(PGconn *conn, txn_info *txn, bool is_commit)
int ii;
static const char *EXEC_DIRECT_STMT_FMT = "EXECUTE DIRECT ON (%s) '%s PREPARED ''%s'';';";
static const char *GLOBAL_STMT_FMT = "%s PREPARED '%s';";
- char stmt[1024];
+ char *stmt = (char *) malloc (64 + strlen(txn->xid));
PGresult *res;
ExecStatusType res_status;
diff --git a/src/backend/pgxc/pool/execRemote.c b/src/backend/pgxc/pool/execRemote.c
index a562352841..717208a5f1 100644
--- a/src/backend/pgxc/pool/execRemote.c
+++ b/src/backend/pgxc/pool/execRemote.c
@@ -2063,8 +2063,8 @@ pgxc_node_remote_prepare(char *prepareGID, bool localNode)
{
bool isOK = true;
StringInfoData nodestr;
- char prepare_cmd[256];
- char abort_cmd[256];
+ char *prepare_cmd = (char *) palloc (64 + strlen(prepareGID));
+ char *abort_cmd;
GlobalTransactionId auxXid;
char *commit_cmd = "COMMIT TRANSACTION";
int i;
@@ -2300,8 +2300,11 @@ pgxc_node_remote_prepare(char *prepareGID, bool localNode)
}
}
+ pfree(prepare_cmd);
return nodestr.data;
+
prepare_err:
+ abort_cmd = (char *) palloc (64 + strlen(abort_cmd));
sprintf(abort_cmd, "ROLLBACK PREPARED '%s'", prepareGID);
auxXid = GetAuxilliaryTransactionId();
@@ -2407,6 +2410,7 @@ prepare_err:
}
pfree_pgxc_all_handles(handles);
+ pfree(abort_cmd);
/*
* If the flag is set we are here because combiner carries error message
@@ -4181,7 +4185,7 @@ pgxc_node_remote_finish(char *prepareGID, bool commit,
char *nodestring, GlobalTransactionId gxid,
GlobalTransactionId prepare_gxid)
{
- char finish_cmd[256];
+ char *finish_cmd;
PGXCNodeHandle *connections[MaxCoords + MaxDataNodes];
int conn_count = 0;
ResponseCombiner combiner;
@@ -4229,6 +4233,8 @@ pgxc_node_remote_finish(char *prepareGID, bool commit,
pgxc_handles = get_handles(nodelist, coordlist, false, true);
+ finish_cmd = (char *) palloc(64 + strlen(prepareGID));
+
if (commit)
sprintf(finish_cmd, "COMMIT PREPARED '%s'", prepareGID);
else
@@ -4320,6 +4326,7 @@ pgxc_node_remote_finish(char *prepareGID, bool commit,
}
pfree_pgxc_all_handles(pgxc_handles);
+ pfree(finish_cmd);
return prepared_local;
}
diff --git a/src/gtm/main/gtm_txn.c b/src/gtm/main/gtm_txn.c
index 7db191a393..f6453532a6 100644
--- a/src/gtm/main/gtm_txn.c
+++ b/src/gtm/main/gtm_txn.c
@@ -1981,7 +1981,7 @@ void
ProcessGetGIDDataTransactionCommand(Port *myport, StringInfo message)
{
StringInfoData buf;
- char gid[1024];
+ char *gid;
char *nodestring = NULL;
int gidlen;
GTM_IsolationLevel txn_isolation_level;
@@ -1996,6 +1996,7 @@ ProcessGetGIDDataTransactionCommand(Port *myport, StringInfo message)
/* receive GID */
gidlen = pq_getmsgint(message, sizeof (GTM_StrLen));
+ gid = (char *) palloc(gidlen + 1);
memcpy(gid, (char *)pq_getmsgbytes(message, gidlen), gidlen);
gid[gidlen] = '\0';
@@ -2096,6 +2097,7 @@ retry:
/* No backup to the standby because this does not change internal status */
if (myport->remote_type != GTM_NODE_GTM_PROXY)
pq_flush(myport);
+ pfree(gid);
return;
}
/*
@@ -2441,7 +2443,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is
GTM_StrLen gidlen, nodelen;
char nodestring[1024];
MemoryContext oldContext;
- char gid[1024];
+ char *gid;
const char *data = pq_getmsgbytes(message, sizeof (gxid));
if (data == NULL)
@@ -2453,6 +2455,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is
/* get GID */
gidlen = pq_getmsgint(message, sizeof (GTM_StrLen));
+ gid = (char *) palloc(gidlen + 1);
memcpy(gid, (char *)pq_getmsgbytes(message, gidlen), gidlen);
gid[gidlen] = '\0';
@@ -2523,6 +2526,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is
}
}
+ pfree(gid);
return;
}