summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Vondra2017-01-19 11:45:15 +0000
committerPavan Deolasee2017-05-05 04:59:34 +0000
commitb42b4275bfc0f92e8517ec583af587b9aa304d59 (patch)
tree95d3ce025ffb9b65008f56dbb15640f645c78f29
parentfd05beb889e2121bd9ce6814b4690dcf9c69ecce (diff)
fix buffer overflow in gtm_serialize_pgxcnodeinfo()
Due to gtm_get_pgxcnodeinfo_size() not considering 'max_sessions' field, gtm_serialize_pgxcnodeinfo() was writing ~4B beyond the end of the allocated buffer. In most cases that did not overwrite any important data, but sometimes it corrupted malloc metadata, as reported on the mailing list by Rami Sergey. 23:1325909760:2017-01-16 12:29:56.522 MSK -DEBUG: gtm_get_pgxcnodeinfo_size: s_len=87, s_datalen=91 LOCATION: ProcessPGXCNodeList, register_gtm.c:391 *** Error in `/usr/local/pgsql/bin/gtm': free(): invalid next size (fast): 0x00007fc448004c90 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc44f0f47e5] /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7fc44f0fce0a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc44f10098c] Fixed by adding 'max_sessions' to gtm_get_pgxcnodeinfo_size(). Report by Rami Sergey, fix by me.
-rw-r--r--src/gtm/common/gtm_serialize.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/gtm/common/gtm_serialize.c b/src/gtm/common/gtm_serialize.c
index fe9e3aca3a..d28535aeeb 100644
--- a/src/gtm/common/gtm_serialize.c
+++ b/src/gtm/common/gtm_serialize.c
@@ -662,6 +662,7 @@ gtm_get_pgxcnodeinfo_size(GTM_PGXCNodeInfo *data)
len += sizeof(GlobalTransactionId); /* xmin */
len += sizeof(GTM_Timestamp); /* reported timestamp */
+ len += sizeof(uint32); /* max_sessions */
len += sizeof(uint32); /* num_sessions */
if (data->num_sessions > 0) /* sessions */
len += (data->num_sessions * sizeof(GTM_PGXCSession));