Replace a few strncmp() calls with strlcpy().

strncmp() is a specialized API unsuited for routine copying into fixed-size buffers. On a system where the length of a single filename can exceed MAXPGPATH, the pg_archivecleanup change prevents a simple crash in the subsequent strlen(). Few filesystems support names that long, and calling pg_archivecleanup with untrusted input is still not a credible use case. Therefore, no back-patch. David Rowley
2014-08-18 22:59:31 -04:00 · 2014-08-18 22:59:31 -04:00 · fb2aece8ae
commit fb2aece8ae
parent 7fc5f1a355
2 changed files with 8 additions and 2 deletions
--- a/contrib/pg_archivecleanup/pg_archivecleanup.c
+++ b/contrib/pg_archivecleanup/pg_archivecleanup.c
@ -108,7 +108,12 @@ CleanupPriorWALFiles(void)
 	{
 		while (errno = 0, (xlde = readdir(xldir)) != NULL)
 		{
-			strncpy(walfile, xlde->d_name, MAXPGPATH);
+			/*
+			 * Truncation is essentially harmless, because we skip names of
+			 * length other than XLOG_DATA_FNAME_LEN.  (In principle, one
+			 * could use a 1000-character additional_ext and get trouble.)
+			 */
+			strlcpy(walfile, xlde->d_name, MAXPGPATH);
 			TrimExtension(walfile, additional_ext);

 			/*
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@ -459,7 +459,8 @@ KeepFileRestoredFromArchive(char *path, char *xlogfname)
 							xlogfpath, oldpath)));
 		}
 #else
-		strncpy(oldpath, xlogfpath, MAXPGPATH);
+		/* same-size buffers, so this never truncates */
+		strlcpy(oldpath, xlogfpath, MAXPGPATH);
 #endif
 		if (unlink(oldpath) != 0)
 			ereport(FATAL,