Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo() - Mailing list pgsql-bugs

From Tom Lane
Subject Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()
Date
Msg-id 14582.1084306219@sss.pgh.pa.us
Whole thread Raw
In response to Bug in backend/lib/stringinfo.c:enlargeStringInfo()  (Nick Wellnhofer <wellnhofer@aevum.de>)
Responses Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()
List pgsql-bugs
Nick Wellnhofer <wellnhofer@aevum.de> writes:
> I found out that the process was looping in enlargeStringInfo() in
> backend/lib/stringinfo.c.

This problem was reported by someone else recently.  I've just applied
the attached patch.

> The real cause of the problem seems to be a frontend/backend
> communication problem. The "needed" argument 0x5454502b comes from a
> 4-byte length field which string content is 'TTP/'. Looks like a part of
> a HTTP request to me.

Yeah, it kinda sounds like someone is trying to send an HTTP request to
the Postgres port :-(

            regards, tom lane

*** src/backend/lib/stringinfo.c.orig    Sat Nov 29 17:39:42 2003
--- src/backend/lib/stringinfo.c    Tue May 11 16:00:20 2004
***************
*** 16,21 ****
--- 16,22 ----
  #include "postgres.h"

  #include "lib/stringinfo.h"
+ #include "utils/memutils.h"


  /*
***************
*** 220,226 ****
--- 221,240 ----
  {
      int            newlen;

+     /*
+      * Guard against ridiculous "needed" values, which can occur if we're
+      * fed bogus data.  Without this, we can get an overflow or infinite
+      * loop in the following.
+      */
+     if (needed < 0 ||
+         ((Size) needed) >= (MaxAllocSize - (Size) str->len))
+         elog(ERROR, "invalid string enlargement request size %d",
+              needed);
+
      needed += str->len + 1;        /* total space required now */
+
+     /* Because of the above test, we now have needed <= MaxAllocSize */
+
      if (needed <= str->maxlen)
          return;                    /* got enough space already */

***************
*** 233,238 ****
--- 247,260 ----
      newlen = 2 * str->maxlen;
      while (needed > newlen)
          newlen = 2 * newlen;
+
+     /*
+      * Clamp to MaxAllocSize in case we went past it.  Note we are assuming
+      * here that MaxAllocSize <= INT_MAX/2, else the above loop could
+      * overflow.  We will still have newlen >= needed.
+      */
+     if (newlen > (int) MaxAllocSize)
+         newlen = (int) MaxAllocSize;

      str->data = (char *) repalloc(str->data, newlen);

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: V7.4.2: drop database does not drop schemas/table/data
Next
From: Tom Lane
Date:
Subject: Re: Bug in backend/lib/stringinfo.c:enlargeStringInfo()