Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rw96k-00H9H1-BK for pgsql-hackers@arkaria.postgresql.org; Sun, 14 Apr 2024 23:17:58 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rw96i-008dAi-AX for pgsql-hackers@arkaria.postgresql.org; Sun, 14 Apr 2024 23:17:56 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rw96h-008dAa-Qz for pgsql-hackers@lists.postgresql.org; Sun, 14 Apr 2024 23:17:55 +0000 Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::62b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rw96b-002s6H-8m for pgsql-hackers@postgresql.org; Sun, 14 Apr 2024 23:17:54 +0000 Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a52582ecde4so98741066b.0 for ; Sun, 14 Apr 2024 16:17:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713136667; x=1713741467; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=kLvWPiEiXaA7MgRgs7Z96F3DJgBwwhbBsI9lxiYdAKM=; b=hsNllNTB/E/7W8umA3y2IYvGyi3NKnL5qZnQvCASNiY5m0+43SbAf5331PSVw4Oipa FwqfC83Ng57RwRmh9mM4ORcHqp9wOt7LFuonyn7tMrvWpRcx4xcwYmVvbRohozU1aYrF +qJ3kFC2beYIH94jFldGuFXDwkWV6X39EsMQB0SUVBcfp7MYF6NiZb+mQWKV+bIlrrgh sNs9GUgG4Huil+eW99ly2DVFRVn9RTZSgyHn+aQXVUe3VE7S1ya7ewZXNJkECZDQb7oZ bs/k6+e6oeUG+krLdnc4rYIRskNT7v6K2o60a7xiWzpBJ261o6KPhbX8JuXIKsfhV4mX LYzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713136667; x=1713741467; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=kLvWPiEiXaA7MgRgs7Z96F3DJgBwwhbBsI9lxiYdAKM=; b=vTebZ7DLEDBArUdTqGbBeYN4CtX/HNl0PQTwruFfOXd0Hzg5guyUd9mx6nTzct2DcA PxDcuiDcMu34nLcfSopKUfGqZOHvvxG+/QPemKXmwAqXViQ4sPLaC00JgRKd3Kn8z7hI 178XiPktRysR1ZmqERIIaOh7flrN4Ep5ud3c3nTAyLF9tn0A2ttR9PPTCbM8fraJHye0 0xGK0VFVIgJuZb/QAyAEBsV5F9eBegf/KxKweVAnljjSUKv0gpBSlL6454bQFjSEPdjz ngQS14E1w/oLMuM+gud+zPgPJKu9Mnc5EsagqYQL66RQlJFKLZepPLFGQ7DjzBTz63j9 VYxw== X-Gm-Message-State: AOJu0YxCg6Ea/IfVI6KpVcTcjA9rj+JRGGKXsk2EgWGbypO1K5pYVRoQ jMq67PpOaKXQHgr6qYIIzm5pONL6vnMlYIgVVloZW6KN6pdLzJk/AxNCQqQn3WN7Hbli3jaQIKy /3X7I4QnEXGSjbMQMDhzecGcJs+wV3eSO X-Google-Smtp-Source: AGHT+IE+cYAwBMVd1XjE5HVQ6rEQKl9RJ3tv0PW9gALgx4e5qm5b4j0dYnEVNJHZvTxvcHgeeMI+1OzL/VCJV46/okQ= X-Received: by 2002:a17:906:1cd7:b0:a51:d235:74cf with SMTP id i23-20020a1709061cd700b00a51d23574cfmr4772930ejh.38.1713136666623; Sun, 14 Apr 2024 16:17:46 -0700 (PDT) MIME-Version: 1.0 From: Ranier Vilela Date: Sun, 14 Apr 2024 20:17:35 -0300 Message-ID: Subject: Fix out-of-bounds in the function GetCommandTagName To: Pg Hackers Content-Type: multipart/alternative; boundary="0000000000007745f0061616b649" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000007745f0061616b649 Content-Type: text/plain; charset="UTF-8" Hi, Per Coverity. Coverity has reported some out-of-bounds bugs related to the GetCommandTagName function. CID 1542964: (#1 of 1): Out-of-bounds access (OVERRUN) 7. overrun-call: Overrunning callee's array of size 193 by passing argument commandtag (which evaluates to 193) in call to GetCommandTagName.[ It turns out that the root of the problem is found in the declaration of the tag_behavior array, which is found in src/backend/tcop/cmdtag.c. The size of the array is defined by COMMAND_TAG_NEXTTAG enum, whose value currently corresponds to 193. Since enum items are evaluated starting at zero, by default. It turns out that the final size of the array, 193, limits the number of items to 192, which excludes the last TAG PG_CMDTAG(CMDTAG_VACUUM, "VACUUM", false, false, false) Fixed leaving it up to the compiler to determine the final size of the array. Patch attached. best regards, Ranier Vilela --0000000000007745f0061616b649 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

Per Coverity.
=
Coverity has reported some out-of-bounds bugs
rela= ted to the GetCommandTagName function.

CID 1542964: (#1 of 1): Out-of-bounds access (OVERRUN)
7. overrun-call: Overrunning callee's array of siz= e 193 by passing argument commandtag (which evaluates to 193) in call to Ge= tCommandTagName.[


It turns out that the root of the problem is foun= d in the declaration of the tag_behavior array, which is found in src/backe= nd/tcop/cmdtag.c.

The size of the array is defined= by COMMAND_TAG_NEXTTAG enum,
whose value currently corresponds t= o 193.
Since enum items are evaluated starting at zero, by defaul= t.

It turns out that the final size of the array, = 193, limits the number of items to 192, which excludes the last TAG
PG_C= MDTAG(CMDTAG_VACUUM, "VACUUM", false, false, false)
Fixed leaving it up to the compiler to determine the final size= of the array.

Patch attached.

best regards,
Ranier Vilela

--0000000000007745f0061616b649--