diff options
author | Tomas Vondra | 2017-01-19 11:45:15 +0000 |
---|---|---|
committer | Pavan Deolasee | 2017-05-05 04:59:34 +0000 |
commit | b42b4275bfc0f92e8517ec583af587b9aa304d59 (patch) | |
tree | 95d3ce025ffb9b65008f56dbb15640f645c78f29 | |
parent | fd05beb889e2121bd9ce6814b4690dcf9c69ecce (diff) |
fix buffer overflow in gtm_serialize_pgxcnodeinfo()
Due to gtm_get_pgxcnodeinfo_size() not considering 'max_sessions'
field, gtm_serialize_pgxcnodeinfo() was writing ~4B beyond the end
of the allocated buffer. In most cases that did not overwrite any
important data, but sometimes it corrupted malloc metadata, as
reported on the mailing list by Rami Sergey.
23:1325909760:2017-01-16 12:29:56.522 MSK -DEBUG:
gtm_get_pgxcnodeinfo_size: s_len=87, s_datalen=91
LOCATION: ProcessPGXCNodeList, register_gtm.c:391
*** Error in `/usr/local/pgsql/bin/gtm': free(): invalid next size
(fast): 0x00007fc448004c90 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc44f0f47e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7fc44f0fce0a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc44f10098c]
Fixed by adding 'max_sessions' to gtm_get_pgxcnodeinfo_size().
Report by Rami Sergey, fix by me.
-rw-r--r-- | src/gtm/common/gtm_serialize.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/gtm/common/gtm_serialize.c b/src/gtm/common/gtm_serialize.c index fe9e3aca3a..d28535aeeb 100644 --- a/src/gtm/common/gtm_serialize.c +++ b/src/gtm/common/gtm_serialize.c @@ -662,6 +662,7 @@ gtm_get_pgxcnodeinfo_size(GTM_PGXCNodeInfo *data) len += sizeof(GlobalTransactionId); /* xmin */ len += sizeof(GTM_Timestamp); /* reported timestamp */ + len += sizeof(uint32); /* max_sessions */ len += sizeof(uint32); /* num_sessions */ if (data->num_sessions > 0) /* sessions */ len += (data->num_sessions * sizeof(GTM_PGXCSession)); |