Skip site navigation (1) Skip section navigation (2)

Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Nick Wellnhofer <wellnhofer(at)aevum(dot)de>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()
Date: 2004-05-11 20:10:19
Message-ID: 14582.1084306219@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
Nick Wellnhofer <wellnhofer(at)aevum(dot)de> writes:
> I found out that the process was looping in enlargeStringInfo() in 
> backend/lib/stringinfo.c.

This problem was reported by someone else recently.  I've just applied
the attached patch.

> The real cause of the problem seems to be a frontend/backend 
> communication problem. The "needed" argument 0x5454502b comes from a 
> 4-byte length field which string content is 'TTP/'. Looks like a part of 
> a HTTP request to me.

Yeah, it kinda sounds like someone is trying to send an HTTP request to
the Postgres port :-(

			regards, tom lane

*** src/backend/lib/stringinfo.c.orig	Sat Nov 29 17:39:42 2003
--- src/backend/lib/stringinfo.c	Tue May 11 16:00:20 2004
***************
*** 16,21 ****
--- 16,22 ----
  #include "postgres.h"
  
  #include "lib/stringinfo.h"
+ #include "utils/memutils.h"
  
  
  /*
***************
*** 220,226 ****
--- 221,240 ----
  {
  	int			newlen;
  
+ 	/*
+ 	 * Guard against ridiculous "needed" values, which can occur if we're
+ 	 * fed bogus data.  Without this, we can get an overflow or infinite
+ 	 * loop in the following.
+ 	 */
+ 	if (needed < 0 ||
+ 		((Size) needed) >= (MaxAllocSize - (Size) str->len))
+ 		elog(ERROR, "invalid string enlargement request size %d",
+ 			 needed);
+ 
  	needed += str->len + 1;		/* total space required now */
+ 
+ 	/* Because of the above test, we now have needed <= MaxAllocSize */
+ 
  	if (needed <= str->maxlen)
  		return;					/* got enough space already */
  
***************
*** 233,238 ****
--- 247,260 ----
  	newlen = 2 * str->maxlen;
  	while (needed > newlen)
  		newlen = 2 * newlen;
+ 
+ 	/*
+ 	 * Clamp to MaxAllocSize in case we went past it.  Note we are assuming
+ 	 * here that MaxAllocSize <= INT_MAX/2, else the above loop could
+ 	 * overflow.  We will still have newlen >= needed.
+ 	 */
+ 	if (newlen > (int) MaxAllocSize)
+ 		newlen = (int) MaxAllocSize;
  
  	str->data = (char *) repalloc(str->data, newlen);
  

In response to

Responses

pgsql-bugs by date

Next:From: Nick WellnhoferDate: 2004-05-11 20:35:14
Subject: Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()
Previous:From: Tom LaneDate: 2004-05-11 19:36:57
Subject: Re: V7.4.2: drop database does not drop schemas/table/data

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group