Fix two memcpy() bugs in the new injection point code

hlinnaka · hlinnaka · commit 0eb23285a257 · 2024-01-22T20:55:45.000+02:00
1. The memcpy()s in InjectionPointAttach() would copy garbage from beyond the end of input string to the buffer in shared memory. You won't usually notice, but if there is not enough valid mapped memory beyond the end of the string, the read of unmapped memory will segfault. This was flagged by the Cirrus CI build with address sanitizer enabled. 2. The memcpy() in injection_point_cache_add() failed to copy the NULL terminator. Discussion: https://www.postgresql.org/message-id/0615a424-b726-4157-afa7-4245629f9512%40iki.fi
diff --git a/src/backend/utils/misc/injection_point.c b/src/backend/utils/misc/injection_point.c
@@ -97,7 +97,7 @@ injection_point_cache_add(const char *name,
 		hash_search(InjectionPointCache, name, HASH_ENTER, &found);
 
 	Assert(!found);
-	memcpy(entry->name, name, strlen(name));
+	strlcpy(entry->name, name, sizeof(entry->name));
 	entry->callback = callback;
 }
 
@@ -217,11 +217,11 @@ InjectionPointAttach(const char *name,
 	}
 
 	/* Save the entry */
-	memcpy(entry_by_name->name, name, sizeof(entry_by_name->name));
+	strlcpy(entry_by_name->name, name, sizeof(entry_by_name->name));
 	entry_by_name->name[INJ_NAME_MAXLEN - 1] = '\0';
-	memcpy(entry_by_name->library, library, sizeof(entry_by_name->library));
+	strlcpy(entry_by_name->library, library, sizeof(entry_by_name->library));
 	entry_by_name->library[INJ_LIB_MAXLEN - 1] = '\0';
-	memcpy(entry_by_name->function, function, sizeof(entry_by_name->function));
+	strlcpy(entry_by_name->function, function, sizeof(entry_by_name->function));
 	entry_by_name->function[INJ_FUNC_MAXLEN - 1] = '\0';
 
 	LWLockRelease(InjectionPointLock);
