Fix off-by-one loop termination condition in pg_stat_get_subscription().

tglsfdc · tglsfdc · commit fb646cbd5a9e · 2022-06-07T15:34:30.000-04:00
pg_stat_get_subscription scanned one more LogicalRepWorker array entry than is really allocated. In the worst case this could lead to SIGSEGV, if the LogicalRepCtx data structure is near the end of shared memory. That seems quite unlikely though (thanks to the ordering of calls in CreateSharedMemoryAndSemaphores) and we've heard no field reports of it. A more likely misbehavior is one row of garbage data in the function's result, but even that is not real likely because of the check that the pid field matches some live backend. Report and fix by Kuntal Ghosh. This bug is old, so back-patch to all supported branches. Discussion: https://postgr.es/m/CAGz5QCJykEDzW6jQK6Yz7Qh_PMtD=95de_7QoocbVR2Qy8hWZA@mail.gmail.com
diff --git a/src/backend/replication/logical/launcher.c b/src/backend/replication/logical/launcher.c
@@ -1147,7 +1147,7 @@ pg_stat_get_subscription(PG_FUNCTION_ARGS)
 	/* Make sure we get consistent view of the workers. */
 	LWLockAcquire(LogicalRepWorkerLock, LW_SHARED);
 
-	for (i = 0; i <= max_logical_replication_workers; i++)
+	for (i = 0; i < max_logical_replication_workers; i++)
 	{
 		/* for each row */
 		Datum		values[PG_STAT_GET_SUBSCRIPTION_COLS];

Original file line number	Diff line number	Diff line change
`@@ -1147,7 +1147,7 @@ pg_stat_get_subscription(PG_FUNCTION_ARGS)`
`1147`	`1147`	`/* Make sure we get consistent view of the workers. */`
`1148`	`1148`	`LWLockAcquire(LogicalRepWorkerLock, LW_SHARED);`
`1149`	`1149`
`1150`		`- for (i = 0; i <= max_logical_replication_workers; i++)`
	`1150`	`+ for (i = 0; i < max_logical_replication_workers; i++)`
`1151`	`1151`	`{`
`1152`	`1152`	`/* for each row */`
`1153`	`1153`	`Datum values[PG_STAT_GET_SUBSCRIPTION_COLS];`