Fix two memcpy() bugs in the new injection point code

1. The memcpy()s in InjectionPointAttach() would copy garbage from beyond the end of input string to the buffer in shared memory. You won't usually notice, but if there is not enough valid mapped memory beyond the end of the string, the read of unmapped memory will segfault. This was flagged by the Cirrus CI build with address sanitizer enabled. 2. The memcpy() in injection_point_cache_add() failed to copy the NULL terminator. Discussion: https://www.postgresql.org/message-id/0615a424-b726-4157-afa7-4245629f9512%40iki.fi
2025-06-06 00:02:36 -04:00 · 2024-01-22 20:55:45 +02:00 · 2024-01-22 20:55:45 +02:00 · 0eb23285a2
commit 0eb23285a2
parent 49f7c6c44a
1 changed files with 4 additions and 4 deletions
--- a/src/backend/utils/misc/injection_point.c
+++ b/src/backend/utils/misc/injection_point.c
@ -97,7 +97,7 @@ injection_point_cache_add(const char *name,
 		hash_search(InjectionPointCache, name, HASH_ENTER, &found);

 	Assert(!found);
-	memcpy(entry->name, name, strlen(name));
+	strlcpy(entry->name, name, sizeof(entry->name));
 	entry->callback = callback;
 }

@ -217,11 +217,11 @@ InjectionPointAttach(const char *name,
 	}

 	/* Save the entry */
-	memcpy(entry_by_name->name, name, sizeof(entry_by_name->name));
+	strlcpy(entry_by_name->name, name, sizeof(entry_by_name->name));
 	entry_by_name->name[INJ_NAME_MAXLEN - 1] = '\0';
-	memcpy(entry_by_name->library, library, sizeof(entry_by_name->library));
+	strlcpy(entry_by_name->library, library, sizeof(entry_by_name->library));
 	entry_by_name->library[INJ_LIB_MAXLEN - 1] = '\0';
-	memcpy(entry_by_name->function, function, sizeof(entry_by_name->function));
+	strlcpy(entry_by_name->function, function, sizeof(entry_by_name->function));
 	entry_by_name->function[INJ_FUNC_MAXLEN - 1] = '\0';

 	LWLockRelease(InjectionPointLock);