diff options
author | Noah Misch | 2014-08-19 02:59:31 +0000 |
---|---|---|
committer | Noah Misch | 2014-08-19 02:59:31 +0000 |
commit | fb2aece8ae4e6f23310d7c87c7da3fec6f5df3a1 (patch) | |
tree | 78dfd07962f4a43f8b23ad8613441a3a018236a5 | |
parent | 7fc5f1a3550ca9395051b592df150de79804131a (diff) |
Replace a few strncmp() calls with strlcpy().
strncmp() is a specialized API unsuited for routine copying into
fixed-size buffers. On a system where the length of a single filename
can exceed MAXPGPATH, the pg_archivecleanup change prevents a simple
crash in the subsequent strlen(). Few filesystems support names that
long, and calling pg_archivecleanup with untrusted input is still not a
credible use case. Therefore, no back-patch.
David Rowley
-rw-r--r-- | contrib/pg_archivecleanup/pg_archivecleanup.c | 7 | ||||
-rw-r--r-- | src/backend/access/transam/xlogarchive.c | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/contrib/pg_archivecleanup/pg_archivecleanup.c b/contrib/pg_archivecleanup/pg_archivecleanup.c index 212b267fcf..97225a81a7 100644 --- a/contrib/pg_archivecleanup/pg_archivecleanup.c +++ b/contrib/pg_archivecleanup/pg_archivecleanup.c @@ -108,7 +108,12 @@ CleanupPriorWALFiles(void) { while (errno = 0, (xlde = readdir(xldir)) != NULL) { - strncpy(walfile, xlde->d_name, MAXPGPATH); + /* + * Truncation is essentially harmless, because we skip names of + * length other than XLOG_DATA_FNAME_LEN. (In principle, one + * could use a 1000-character additional_ext and get trouble.) + */ + strlcpy(walfile, xlde->d_name, MAXPGPATH); TrimExtension(walfile, additional_ext); /* diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c index 37745dce89..047efa2672 100644 --- a/src/backend/access/transam/xlogarchive.c +++ b/src/backend/access/transam/xlogarchive.c @@ -459,7 +459,8 @@ KeepFileRestoredFromArchive(char *path, char *xlogfname) xlogfpath, oldpath))); } #else - strncpy(oldpath, xlogfpath, MAXPGPATH); + /* same-size buffers, so this never truncates */ + strlcpy(oldpath, xlogfpath, MAXPGPATH); #endif if (unlink(oldpath) != 0) ereport(FATAL, |