Skip to content

Commit f78ebbe

Browse files
peterepetere
committed
Avoid invalid alloc size error in shm_mq
In shm_mq_receive(), a huge payload could trigger an unjustified "invalid memory alloc request size" error due to the way the buffer size is increased. Add error checks (documenting the upper limit) and avoid the error by limiting the allocation size to MaxAllocSize. Author: Markus Wanner <markus.wanner@2ndquadrant.com> Discussion: https://www.postgresql.org/message-id/flat/3bb363e7-ac04-0ac4-9fe8-db1148755bfa%402ndquadrant.com
1 parent 68f2369 commit f78ebbe

File tree

1 file changed

+24
-0
lines changed

1 file changed

+24
-0
lines changed

src/backend/storage/ipc/shm_mq.c

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
#include "storage/procsignal.h"
2525
#include "storage/shm_mq.h"
2626
#include "storage/spin.h"
27+
#include "utils/memutils.h"
2728

2829
/*
2930
* This structure represents the actual queue, stored in shared memory.
@@ -364,6 +365,13 @@ shm_mq_sendv(shm_mq_handle *mqh, shm_mq_iovec *iov, int iovcnt, bool nowait)
364365
for (i = 0; i < iovcnt; ++i)
365366
nbytes += iov[i].len;
366367

368+
/* Prevent writing messages overwhelming the receiver. */
369+
if (nbytes > MaxAllocSize)
370+
ereport(ERROR,
371+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
372+
errmsg("cannot send a message of size %zu via shared memory queue",
373+
nbytes)));
374+
367375
/* Try to write, or finish writing, the length word into the buffer. */
368376
while (!mqh->mqh_length_word_complete)
369377
{
@@ -657,6 +665,17 @@ shm_mq_receive(shm_mq_handle *mqh, Size *nbytesp, void **datap, bool nowait)
657665
}
658666
nbytes = mqh->mqh_expected_bytes;
659667

668+
/*
669+
* Should be disallowed on the sending side already, but better check and
670+
* error out on the receiver side as well rather than trying to read a
671+
* prohibitively large message.
672+
*/
673+
if (nbytes > MaxAllocSize)
674+
ereport(ERROR,
675+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
676+
errmsg("invalid message size %zu in shared memory queue",
677+
nbytes)));
678+
660679
if (mqh->mqh_partial_bytes == 0)
661680
{
662681
/*
@@ -685,8 +704,13 @@ shm_mq_receive(shm_mq_handle *mqh, Size *nbytesp, void **datap, bool nowait)
685704
{
686705
Size newbuflen = Max(mqh->mqh_buflen, MQH_INITIAL_BUFSIZE);
687706

707+
/*
708+
* Double the buffer size until the payload fits, but limit to
709+
* MaxAllocSize.
710+
*/
688711
while (newbuflen < nbytes)
689712
newbuflen *= 2;
713+
newbuflen = Min(newbuflen, MaxAllocSize);
690714

691715
if (mqh->mqh_buffer != NULL)
692716
{

0 commit comments

Comments
 (0)