Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()

Nick Wellnhofer <wellnhofer(at)aevum(dot)de> writes:
> I found out that the process was looping in enlargeStringInfo() in
> backend/lib/stringinfo.c.

This problem was reported by someone else recently. I've just applied
the attached patch.

> The real cause of the problem seems to be a frontend/backend
> communication problem. The "needed" argument 0x5454502b comes from a
> 4-byte length field which string content is 'TTP/'. Looks like a part of
> a HTTP request to me.

Yeah, it kinda sounds like someone is trying to send an HTTP request to
the Postgres port :-(

regards, tom lane

*** src/backend/lib/stringinfo.c.orig Sat Nov 29 17:39:42 2003
--- src/backend/lib/stringinfo.c Tue May 11 16:00:20 2004
***************
*** 16,21 ****
--- 16,22 ----
#include "postgres.h"

#include "lib/stringinfo.h"
+ #include "utils/memutils.h"


/*
***************
*** 220,226 ****
--- 221,240 ----
{
int newlen;

+ /*
+ * Guard against ridiculous "needed" values, which can occur if we're
+ * fed bogus data. Without this, we can get an overflow or infinite
+ * loop in the following.
+ */
+ if (needed < 0 ||
+ ((Size) needed) >= (MaxAllocSize - (Size) str->len))
+ elog(ERROR, "invalid string enlargement request size %d",
+ needed);
+
needed += str->len + 1; /* total space required now */
+
+ /* Because of the above test, we now have needed <= MaxAllocSize */
+
if (needed <= str->maxlen)
return; /* got enough space already */

***************
*** 233,238 ****
--- 247,260 ----
newlen = 2 * str->maxlen;
while (needed > newlen)
newlen = 2 * newlen;
+
+ /*
+ * Clamp to MaxAllocSize in case we went past it. Note we are assuming
+ * here that MaxAllocSize <= INT_MAX/2, else the above loop could
+ * overflow. We will still have newlen >= needed.
+ */
+ if (newlen > (int) MaxAllocSize)
+ newlen = (int) MaxAllocSize;

str->data = (char *) repalloc(str->data, newlen);