Replace a few strncmp() calls with strlcpy().

strncmp() is a specialized API unsuited for routine copying into
fixed-size buffers.  On a system where the length of a single filename
can exceed MAXPGPATH, the pg_archivecleanup change prevents a simple
crash in the subsequent strlen().  Few filesystems support names that
long, and calling pg_archivecleanup with untrusted input is still not a
credible use case.  Therefore, no back-patch.

David Rowley

diff --git a/contrib/pg_archivecleanup/pg_archivecleanup.c b/contrib/pg_archivecleanup/pg_archivecleanup.c
index 212b267fcfa6cdd4b406570e325c54effcf704bc..97225a81a766532d8d92986133a0285e7c14ade6 100644 (file)
--- a/contrib/pg_archivecleanup/pg_archivecleanup.c
+++ b/contrib/pg_archivecleanup/pg_archivecleanup.c
@@ -108,7 +108,12 @@ CleanupPriorWALFiles(void)
    {
        while (errno = 0, (xlde = readdir(xldir)) != NULL)
        {
-           strncpy(walfile, xlde->d_name, MAXPGPATH);
+           /*
+            * Truncation is essentially harmless, because we skip names of
+            * length other than XLOG_DATA_FNAME_LEN.  (In principle, one
+            * could use a 1000-character additional_ext and get trouble.)
+            */
+           strlcpy(walfile, xlde->d_name, MAXPGPATH);
            TrimExtension(walfile, additional_ext);
 
            /*

diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c
index 37745dce8902d41410c6ab9f044f6b4d91669d01..047efa2672f5e1566a6bfbf2adc6418e8ed883ef 100644 (file)
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@@ -459,7 +459,8 @@ KeepFileRestoredFromArchive(char *path, char *xlogfname)
                            xlogfpath, oldpath)));
        }
 #else
-       strncpy(oldpath, xlogfpath, MAXPGPATH);
+       /* same-size buffers, so this never truncates */
+       strlcpy(oldpath, xlogfpath, MAXPGPATH);
 #endif
        if (unlink(oldpath) != 0)
            ereport(FATAL,