Fix off-by-one loop termination condition in pg_stat_get_subscription().

pg_stat_get_subscription scanned one more LogicalRepWorker array entry
than is really allocated.  In the worst case this could lead to SIGSEGV,
if the LogicalRepCtx data structure is near the end of shared memory.
That seems quite unlikely though (thanks to the ordering of calls in
CreateSharedMemoryAndSemaphores) and we've heard no field reports of it.
A more likely misbehavior is one row of garbage data in the function's
result, but even that is not real likely because of the check that the
pid field matches some live backend.

Report and fix by Kuntal Ghosh.  This bug is old, so back-patch
to all supported branches.

Discussion: https://postgr.es/m/CAGz5QCJykEDzW6jQK6Yz7Qh_PMtD=95de_7QoocbVR2Qy8hWZA@mail.gmail.com

diff --git a/src/backend/replication/logical/launcher.c b/src/backend/replication/logical/launcher.c
index b725c9213e3c1d00d628f790c62aa2f6c64fe3e9..4ea37e7ed95ef6336885beed639de4b694e03ad0 100644 (file)
--- a/src/backend/replication/logical/launcher.c
+++ b/src/backend/replication/logical/launcher.c
@@ -1147,7 +1147,7 @@ pg_stat_get_subscription(PG_FUNCTION_ARGS)
    /* Make sure we get consistent view of the workers. */
    LWLockAcquire(LogicalRepWorkerLock, LW_SHARED);
 
-   for (i = 0; i <= max_logical_replication_workers; i++)
+   for (i = 0; i < max_logical_replication_workers; i++)
    {
        /* for each row */
        Datum       values[PG_STAT_GET_SUBSCRIPTION_COLS];