Hi,

I was able to crash postgres 6.5.3 when I did an 'alter user' command. After I started a debugger I found the problem in the timezone handling of datetime (my Linux box lost its timezone information, that's how the problem occurred). Only 7 bytes are reserved for the timezone, without checking for boundaries. Attached is a patch that fixes this problem and emits a NOTICE if a timezone is encountered that is longer than MAXTZLEN bytes, like this: Jeroen van Vianen
1999-12-09 05:02:24 +00:00 · 1999-12-09 05:02:24 +00:00 · d65a27f950
commit d65a27f950
parent 469cf43fac
2 changed files with 24 additions and 6 deletions
--- a/src/backend/utils/adt/dt.c
+++ b/src/backend/utils/adt/dt.c
@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/adt/Attic/dt.c,v 1.76 1999/07/17 20:17:55 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/adt/Attic/dt.c,v 1.77 1999/12/09 05:02:24 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -4327,7 +4327,7 @@ EncodeDateTime(struct tm * tm, double fsec, int *tzp, char **tzn, int style, cha
 					if ((*tzn != NULL) && (tm->tm_isdst >= 0))
 					{
 						strcpy((str + 27), " ");
-						strcpy((str + 28), *tzn);
+						strncpy((str + 28), *tzn, MAXTZLEN);
 					}
 				}
 				else
@ -4336,7 +4336,7 @@ EncodeDateTime(struct tm * tm, double fsec, int *tzp, char **tzn, int style, cha
 					if ((*tzn != NULL) && (tm->tm_isdst >= 0))
 					{
 						strcpy((str + 24), " ");
-						strcpy((str + 25), *tzn);
+						strncpy((str + 25), *tzn, MAXTZLEN);
 					}
 				}

--- a/src/backend/utils/adt/nabstime.c
+++ b/src/backend/utils/adt/nabstime.c
@ -4,7 +4,7 @@
 *
 * Copyright (c) 1994, Regents of the University of California
 *
- *	  $Id: nabstime.c,v 1.61 1999/07/17 20:17:57 momjian Exp $
+ *	  $Id: nabstime.c,v 1.62 1999/12/09 05:02:24 momjian Exp $
 *
 */
 #include <ctype.h>
@ -174,7 +174,16 @@ abstime2tm(AbsoluteTime time, int *tzp, struct tm * tm, char *tzn)
 		*tzp = -tm->tm_gmtoff;	/* tm_gmtoff is Sun/DEC-ism */
 	/* XXX FreeBSD man pages indicate that this should work - tgl 97/04/23 */
 	if (tzn != NULL)
-		strcpy(tzn, tm->tm_zone);
+	{
+		/* Copy no more than MAXTZLEN bytes of timezone to tzn, in case it
+		   contains an error message, which doesn't fit in the buffer */
+		strncpy(tzn, tm->tm_zone, MAXTZLEN);
+		if (strlen(tm->tm_zone) > MAXTZLEN)
+		{
+			tzn[MAXTZLEN] = '\0';
+			elog(NOTICE, "Invalid timezone \'%s\'", tm->tm_zone);
+		}
+	}
 #elif defined(HAVE_INT_TIMEZONE)
 	if (tzp != NULL)
 #ifdef __CYGWIN__
@ -183,7 +192,16 @@ abstime2tm(AbsoluteTime time, int *tzp, struct tm * tm, char *tzn)
 		*tzp = (tm->tm_isdst ? (timezone - 3600) : timezone);
 #endif
 	if (tzn != NULL)
-		strcpy(tzn, tzname[tm->tm_isdst]);
+	{
+		/* Copy no more than MAXTZLEN bytes of timezone to tzn, in case it
+		   contains an error message, which doesn't fit in the buffer */
+		strncpy(tzn, tzname[tm->tm_isdst], MAXTZLEN);
+		if (strlen(tzname[tm->tm_isdst]) > MAXTZLEN)
+		{
+			tzn[MAXTZLEN] = '\0';
+			elog(NOTICE, "Invalid timezone \'%s\'", tzname[tm->tm_isdst]);
+		}
+	}
 #else
 #error POSIX time support is broken
 #endif