strncmp() is a specialized API unsuited for routine copying into
fixed-size buffers. On a system where the length of a single filename
can exceed MAXPGPATH, the pg_archivecleanup change prevents a simple
crash in the subsequent strlen(). Few filesystems support names that
long, and calling pg_archivecleanup with untrusted input is still not a
credible use case. Therefore, no back-patch.
David Rowley
{
while (errno = 0, (xlde = readdir(xldir)) != NULL)
{
- strncpy(walfile, xlde->d_name, MAXPGPATH);
+ /*
+ * Truncation is essentially harmless, because we skip names of
+ * length other than XLOG_DATA_FNAME_LEN. (In principle, one
+ * could use a 1000-character additional_ext and get trouble.)
+ */
+ strlcpy(walfile, xlde->d_name, MAXPGPATH);
TrimExtension(walfile, additional_ext);
/*
xlogfpath, oldpath)));
}
#else
- strncpy(oldpath, xlogfpath, MAXPGPATH);
+ /* same-size buffers, so this never truncates */
+ strlcpy(oldpath, xlogfpath, MAXPGPATH);
#endif
if (unlink(oldpath) != 0)
ereport(FATAL,
projects / postgresql / commitdiff