Commit 567787f2 authored by Heikki Linnakangas's avatar Heikki Linnakangas

Validate xlog record header before enlarging the work area to store it.

If the record header is garbled, we're now quite likely to notice it before
we try to make a bogus memory allocation and run out of memory. That can
still happen, if the xlog record is split across pages (we cannot verify
the record header until reading the next page in that scenario), but this
reduces the chances. An out-of-memory is treated as a corrupt record
anyway, so this isn't a correctness issue, just a case of giving a better
error message.

Per Amit Kapila's suggestion.
parent 42e2ce6a
...@@ -3829,14 +3829,31 @@ retry: ...@@ -3829,14 +3829,31 @@ retry:
} }
/* /*
* Read the record length.
*
* NB: Even though we use an XLogRecord pointer here, the whole record * NB: Even though we use an XLogRecord pointer here, the whole record
* header might not fit on this page. xl_tot_len is the first field in * header might not fit on this page. xl_tot_len is the first field of
* struct, so it must be on this page, but we cannot safely access any * the struct, so it must be on this page (the records are MAXALIGNed),
* other fields yet. * but we cannot access any other fields until we've verified that we
* got the whole header.
*/ */
record = (XLogRecord *) (readBuf + (*RecPtr) % XLOG_BLCKSZ); record = (XLogRecord *) (readBuf + (*RecPtr) % XLOG_BLCKSZ);
total_len = record->xl_tot_len; total_len = record->xl_tot_len;
/*
* If the whole record header is on this page, validate it immediately.
* Otherwise validate it after reading the rest of the header from next
* page.
*/
if (targetRecOff <= XLOG_BLCKSZ - SizeOfXLogRecord)
{
if (!ValidXLogRecordHeader(RecPtr, record, emode, randAccess))
goto next_record_is_invalid;
gotheader = true;
}
else
gotheader = false;
/* /*
* Allocate or enlarge readRecordBuf as needed. To avoid useless small * Allocate or enlarge readRecordBuf as needed. To avoid useless small
* increases, round its size to a multiple of XLOG_BLCKSZ, and make sure * increases, round its size to a multiple of XLOG_BLCKSZ, and make sure
...@@ -3865,19 +3882,6 @@ retry: ...@@ -3865,19 +3882,6 @@ retry:
readRecordBufSize = newSize; readRecordBufSize = newSize;
} }
/*
* If we got the whole header already, validate it immediately. Otherwise
* we validate it after reading the rest of the header from the next page.
*/
if (targetRecOff <= XLOG_BLCKSZ - SizeOfXLogRecord)
{
if (!ValidXLogRecordHeader(RecPtr, record, emode, randAccess))
goto next_record_is_invalid;
gotheader = true;
}
else
gotheader = false;
len = XLOG_BLCKSZ - (*RecPtr) % XLOG_BLCKSZ; len = XLOG_BLCKSZ - (*RecPtr) % XLOG_BLCKSZ;
if (total_len > len) if (total_len > len)
{ {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment