From c7575d22c8ff5c323063f92dbf04ceb5edab5b97 Mon Sep 17 00:00:00 2001 From: Pavan Deolasee Date: Tue, 19 Jan 2016 09:06:04 +0530 Subject: [PATCH] Fix various potential buffer overflows which got exposed after we recently increased GIDSIZE Per report by Tobias Oberstein --- contrib/pgxc_clean/pgxc_clean.c | 2 +- src/backend/pgxc/pool/execRemote.c | 13 ++++++++++--- src/gtm/main/gtm_txn.c | 8 ++++++-- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/contrib/pgxc_clean/pgxc_clean.c b/contrib/pgxc_clean/pgxc_clean.c index 911bebc520..d96cdf85fd 100644 --- a/contrib/pgxc_clean/pgxc_clean.c +++ b/contrib/pgxc_clean/pgxc_clean.c @@ -509,7 +509,7 @@ do_commit_abort(PGconn *conn, txn_info *txn, bool is_commit) int ii; static const char *EXEC_DIRECT_STMT_FMT = "EXECUTE DIRECT ON (%s) '%s PREPARED ''%s'';';"; static const char *GLOBAL_STMT_FMT = "%s PREPARED '%s';"; - char stmt[1024]; + char *stmt = (char *) malloc (64 + strlen(txn->xid)); PGresult *res; ExecStatusType res_status; diff --git a/src/backend/pgxc/pool/execRemote.c b/src/backend/pgxc/pool/execRemote.c index 46fc336e89..77f3d9d087 100644 --- a/src/backend/pgxc/pool/execRemote.c +++ b/src/backend/pgxc/pool/execRemote.c @@ -2063,8 +2063,8 @@ pgxc_node_remote_prepare(char *prepareGID, bool localNode) { bool isOK = true; StringInfoData nodestr; - char prepare_cmd[256]; - char abort_cmd[256]; + char *prepare_cmd = (char *) palloc (64 + strlen(prepareGID)); + char *abort_cmd; GlobalTransactionId auxXid; char *commit_cmd = "COMMIT TRANSACTION"; int i; @@ -2300,8 +2300,11 @@ pgxc_node_remote_prepare(char *prepareGID, bool localNode) } } + pfree(prepare_cmd); return nodestr.data; + prepare_err: + abort_cmd = (char *) palloc (64 + strlen(abort_cmd)); sprintf(abort_cmd, "ROLLBACK PREPARED '%s'", prepareGID); auxXid = GetAuxilliaryTransactionId(); @@ -2407,6 +2410,7 @@ prepare_err: } pfree_pgxc_all_handles(handles); + pfree(abort_cmd); /* * If the flag is set we are here because combiner carries error message @@ -4181,7 +4185,7 @@ pgxc_node_remote_finish(char *prepareGID, bool commit, char *nodestring, GlobalTransactionId gxid, GlobalTransactionId prepare_gxid) { - char finish_cmd[256]; + char *finish_cmd; PGXCNodeHandle *connections[MaxCoords + MaxDataNodes]; int conn_count = 0; ResponseCombiner combiner; @@ -4229,6 +4233,8 @@ pgxc_node_remote_finish(char *prepareGID, bool commit, pgxc_handles = get_handles(nodelist, coordlist, false, true); + finish_cmd = (char *) palloc(64 + strlen(prepareGID)); + if (commit) sprintf(finish_cmd, "COMMIT PREPARED '%s'", prepareGID); else @@ -4320,6 +4326,7 @@ pgxc_node_remote_finish(char *prepareGID, bool commit, } pfree_pgxc_all_handles(pgxc_handles); + pfree(finish_cmd); return prepared_local; } diff --git a/src/gtm/main/gtm_txn.c b/src/gtm/main/gtm_txn.c index 7db191a393..f6453532a6 100644 --- a/src/gtm/main/gtm_txn.c +++ b/src/gtm/main/gtm_txn.c @@ -1981,7 +1981,7 @@ void ProcessGetGIDDataTransactionCommand(Port *myport, StringInfo message) { StringInfoData buf; - char gid[1024]; + char *gid; char *nodestring = NULL; int gidlen; GTM_IsolationLevel txn_isolation_level; @@ -1996,6 +1996,7 @@ ProcessGetGIDDataTransactionCommand(Port *myport, StringInfo message) /* receive GID */ gidlen = pq_getmsgint(message, sizeof (GTM_StrLen)); + gid = (char *) palloc(gidlen + 1); memcpy(gid, (char *)pq_getmsgbytes(message, gidlen), gidlen); gid[gidlen] = '\0'; @@ -2096,6 +2097,7 @@ retry: /* No backup to the standby because this does not change internal status */ if (myport->remote_type != GTM_NODE_GTM_PROXY) pq_flush(myport); + pfree(gid); return; } /* @@ -2441,7 +2443,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is GTM_StrLen gidlen, nodelen; char nodestring[1024]; MemoryContext oldContext; - char gid[1024]; + char *gid; const char *data = pq_getmsgbytes(message, sizeof (gxid)); if (data == NULL) @@ -2453,6 +2455,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is /* get GID */ gidlen = pq_getmsgint(message, sizeof (GTM_StrLen)); + gid = (char *) palloc(gidlen + 1); memcpy(gid, (char *)pq_getmsgbytes(message, gidlen), gidlen); gid[gidlen] = '\0'; @@ -2523,6 +2526,7 @@ ProcessStartPreparedTransactionCommand(Port *myport, StringInfo message, bool is } } + pfree(gid); return; } -- 2.39.5