Skip to content

Fixing two buffer overflow issues #592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dutow wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fixing two buffer overflow issues #592

dutow wants to merge 2 commits into from

Conversation

@dutow
Copy link
Contributor

@dutow dutow commented Dec 5, 2025

Correct the size of tmp array

The snprintf using it should work with any int, which means this string
has to fit ",-2147483648\0", which is 12 characters + a null terminator.

Otherwise it could lead to a buffer overflow, corrupting other variables
on the stack, and maybe causing a crash too?

Fix resp_calls array size

This got broken during a refactoring in de71282. We need the plus 2
items because of the overflow/underflow bucket, without that we can
possibly overindex this array and corrupt other counters.

In earlier versions we even had the encoding variable stored directly
after this array, which possibly caused crashes or incorrectly working
string functions.

dutow added 2 commits December 5, 2025 19:46
@dutow
Correct the size of tmp array
3a647a2 
The snprintf using it should work with any int, which means this string
has to fit ",-2147483648\0", which is 12 characters + a null terminator.

Otherwise it could lead to a buffer overflow, corrupting other variables
on the stack, and maybe causing a crash too?
@dutow
Fix resp_calls array size
9fd3141 
This got broken during a refactoring in de71282. We need the plus 2
items because of the overflow/underflow bucket, without that we can
possibly overindex this array and corrupt other counters.

In earlier versions we even had the encoding variable stored directly
after this array, which possibly caused crashes or incorrectly working
string functions.
@dutow dutow requested a review from artemgavrilov as a code owner December 5, 2025 19:52
@codecov
Copy link

codecov bot commented Dec 5, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.46%. Comparing base (71b045b) to head (9fd3141).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #592      +/-   ##
==========================================
- Coverage   85.48%   85.46%   -0.02%     
==========================================
  Files           3        3              
  Lines        1343     1342       -1     
  Branches      215      215              
==========================================
- Hits         1148     1147       -1     
  Misses         92       92              
  Partials      103      103

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

AndersAstrand
AndersAstrand reviewed Jan 8, 2026
View reviewed changes
pg_stat_monitor.c
int j;
char str[1024];
char tmp[10];
char tmp[13];
Copy link

@AndersAstrand AndersAstrand Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is a buffer overflow issue as both calls to snprintf that uses it specifies it length as 10. We should however let it write the whole number of course, so this commit should also fix the calls to snprintf below.

Your example would result in tmp containing ",-2147483\0" even after this change, wouldn't it?

AndersAstrand
AndersAstrand suggested changes Jan 8, 2026
View reviewed changes
Copy link

@AndersAstrand AndersAstrand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to update the snprintf() calls to use the whole new tmp buffer, and also update the commit message to not suggest that snprintf() would write outside of the buffer.

AndersAstrand
AndersAstrand reviewed Jan 8, 2026
View reviewed changes
pg_stat_monitor.c
continue;
}
snprintf(tmp, 10, ",%d", arr[j]);
strcat(str, tmp);
Copy link

@AndersAstrand AndersAstrand Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

strcat here, however, can lead to a buffer overflow if len is too large. it should probably be fixed even if len is known to always be small.

@AndersAstrand AndersAstrand mentioned this pull request Jan 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artemgavrilov artemgavrilov artemgavrilov approved these changes

+1 more reviewer

@AndersAstrand AndersAstrand AndersAstrand requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dutow @AndersAstrand @artemgavrilov