From cb66f495f5d0c204f051971f2c549d5c3ac850ea Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 16 Feb 2015 16:17:48 -0500 Subject: [PATCH] Fix misuse of memcpy() in check_ip(). The previous coding copied garbage into a local variable, pretty much ensuring that the intended test of an IPv6 connection address against a promoted IPv4 address from pg_hba.conf would never match. The lack of field complaints likely indicates that nobody realized this was supposed to work, which is unsurprising considering that no user-facing docs suggest it should work. In principle this could have led to a SIGSEGV due to reading off the end of memory, but since the source address would have pointed to somewhere in the function's stack frame, that's quite unlikely. What led to discovery of the bug is Hugo Osvaldo Barrera's report of a crash after an OS upgrade, which is probably because he is now running a system in which memcpy raises abort() upon detecting overlapping source and destination areas. (You'd have to additionally suppose some things about the stack frame layout to arrive at this conclusion, but it seems plausible.) This has been broken since the code was added, in commit f3aec2c7f51904e7, so back-patch to all supported branches. --- src/backend/libpq/hba.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 9cde6a21ce..8c8213448a 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -700,8 +700,8 @@ check_ip(SockAddr *raddr, struct sockaddr * addr, struct sockaddr * mask) struct sockaddr_storage addrcopy, maskcopy; - memcpy(&addrcopy, &addr, sizeof(addrcopy)); - memcpy(&maskcopy, &mask, sizeof(maskcopy)); + memcpy(&addrcopy, addr, sizeof(addrcopy)); + memcpy(&maskcopy, mask, sizeof(maskcopy)); pg_promote_v4_to_v6_addr(&addrcopy); pg_promote_v4_to_v6_mask(&maskcopy);