From: Tomas Vondra <tomas@2ndquadrant.com>
Date: Thu, 19 Jan 2017 11:45:15 +0000 (+0100)
Subject: fix buffer overflow in gtm_serialize_pgxcnodeinfo()
X-Git-Tag: XL_10_R1BETA1~311
X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=b42b4275bfc0f92e8517ec583af587b9aa304d59;p=postgres-xl.git

fix buffer overflow in gtm_serialize_pgxcnodeinfo()

Due to gtm_get_pgxcnodeinfo_size() not considering 'max_sessions'
field, gtm_serialize_pgxcnodeinfo() was writing ~4B beyond the end
of the allocated buffer. In most cases that did not overwrite any
important data, but sometimes it corrupted malloc metadata, as
reported on the mailing list by Rami Sergey.

    23:1325909760:2017-01-16 12:29:56.522 MSK -DEBUG:
    gtm_get_pgxcnodeinfo_size: s_len=87, s_datalen=91
    LOCATION:  ProcessPGXCNodeList, register_gtm.c:391
    *** Error in `/usr/local/pgsql/bin/gtm': free(): invalid next size
    (fast): 0x00007fc448004c90 ***
    ======= Backtrace: =========
    /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc44f0f47e5]
    /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7fc44f0fce0a]
    /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc44f10098c]

Fixed by adding 'max_sessions' to gtm_get_pgxcnodeinfo_size().

Report by Rami Sergey, fix by me.
---

diff --git a/src/gtm/common/gtm_serialize.c b/src/gtm/common/gtm_serialize.c
index fe9e3aca3a..d28535aeeb 100644
--- a/src/gtm/common/gtm_serialize.c
+++ b/src/gtm/common/gtm_serialize.c
@@ -662,6 +662,7 @@ gtm_get_pgxcnodeinfo_size(GTM_PGXCNodeInfo *data)
 	len += sizeof(GlobalTransactionId);	/* xmin */
 	len += sizeof(GTM_Timestamp);		/* reported timestamp */
 
+	len += sizeof(uint32);			/* max_sessions */
 	len += sizeof(uint32);			/* num_sessions */
 	if (data->num_sessions > 0)		/* sessions */
 		len += (data->num_sessions * sizeof(GTM_PGXCSession));