Hi all,
In pg_standby.c, we use a 32-byte buffer in CheckForExternalTrigger to
which is read the content of the trigger file defined by -f:
CheckForExternalTrigger(void)
{
char buf[32];
[...]
if ((len = read(fd, buf, sizeof(buf))) < 0)
{
stuff();
}
if (len < sizeof(buf))
buf[len] = '\0';
However it happens that if the file read contains 32 bytes or more, we
enforce \0 in a position out of bounds. While looking at that, I also
noticed that pg_standby can trigger a failover as long as the
beginning of buf matches either "smart" or "fast", but I think we
should check for a perfect match instead of a comparison of the first
bytes, no?
Attached is a patch to fix the out-of-bound issue as well as
improvements for the detection of the trigger file content. I think
that the out-of-bound fix should be backpatched, while the
improvements for the trigger file are master-only. Coverity has
pointed out the out-of-bound issue.
Regards,
--
Michael
diff --git a/contrib/pg_standby/pg_standby.c b/contrib/pg_standby/pg_standby.c
index d6b1692..cd69f54 100644
--- a/contrib/pg_standby/pg_standby.c
+++ b/contrib/pg_standby/pg_standby.c
@@ -426,9 +426,11 @@ CheckForExternalTrigger(void)
close(fd);
return;
}
- buf[len] = '\0';
- if (strncmp(buf, "smart", 5) == 0)
+ if (len < sizeof(buf))
+ buf[len] = '\0';
+
+ if (strncmp(buf, "smart", 5) == 0 && len == 5)
{
Failover = SmartFailover;
fprintf(stderr, "trigger file found: smart failover\n");
@@ -437,7 +439,7 @@ CheckForExternalTrigger(void)
return;
}
- if (strncmp(buf, "fast", 4) == 0)
+ if (strncmp(buf, "fast", 4) == 0 && len == 4)
{
Failover = FastFailover;
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
