Thread: Potential NULL dereference found in typecmds.c

Potential NULL dereference found in typecmds.c

From

Michael Mueller

Date:

04 July 2011, 04:18:18

Hi folks,

Sentry found this error last night, and it looks serious enough to
report.  The error was introduced in commit 426cafc.  Here's the code
in question, starting at line 2096:
   if (!found)   {       con = NULL;     /* keep compiler quiet */       ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),               errmsg("constraint \"%s\" of domain \"%s\" does not exist",
           constrName, NameStr(con->conname))));   }
 

It sets 'con' to NULL and then in the next statement, dereferences it.
I'm not sure if it's possible to reach this path, but if it is
reachable it will cause a crash.

Best Regards,
Mike

-- 
Mike Mueller
Phone: (401) 405-1525
Email: mmueller@vigilantsw.com

http://www.vigilantsw.com/

Re: Potential NULL dereference found in typecmds.c

From

Magnus Hagander

Date:

04 July 2011, 09:53:14

On Sat, Jul 2, 2011 at 20:10, Michael Mueller <mmueller@vigilantsw.com> wrote:
> Hi folks,
>
> Sentry found this error last night, and it looks serious enough to
> report.  The error was introduced in commit 426cafc.  Here's the code
> in question, starting at line 2096:
>
>    if (!found)
>    {
>        con = NULL;     /* keep compiler quiet */
>        ereport(ERROR,
>                (errcode(ERRCODE_UNDEFINED_OBJECT),
>                 errmsg("constraint \"%s\" of domain \"%s\" does not exist",
>                        constrName, NameStr(con->conname))));
>    }
>
> It sets 'con' to NULL and then in the next statement, dereferences it.
> I'm not sure if it's possible to reach this path, but if it is
> reachable it will cause a crash.

This code is no longer present in git head, *removed* by commit
426cafc. Not added by it. at least that's how I read the history...

However, it still looks to me like we could get to that code with
con=NULL - if the while loop is never executed. Perhaps this is a
can-never-happen situation? Alvaro?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: Potential NULL dereference found in typecmds.c

From

Peter Geoghegan

Date:

04 July 2011, 10:07:41

On 4 July 2011 13:53, Magnus Hagander <magnus@hagander.net> wrote:
> This code is no longer present in git head, *removed* by commit
> 426cafc. Not added by it. at least that's how I read the history...
>
> However, it still looks to me like we could get to that code with
> con=NULL - if the while loop is never executed. Perhaps this is a
> can-never-happen situation? Alvaro?

Seems slightly academic IMHO. No code path should dereference an
invariably NULL or wild pointer.

--
Peter Geoghegan       http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training and Services

Re: Potential NULL dereference found in typecmds.c

From

Heikki Linnakangas

Date:

04 July 2011, 10:14:23

On 04.07.2011 16:07, Peter Geoghegan wrote:
> On 4 July 2011 13:53, Magnus Hagander<magnus@hagander.net>  wrote:
>> This code is no longer present in git head, *removed* by commit
>> 426cafc. Not added by it. at least that's how I read the history...
>>
>> However, it still looks to me like we could get to that code with
>> con=NULL - if the while loop is never executed. Perhaps this is a
>> can-never-happen situation? Alvaro?
>
> Seems slightly academic IMHO. No code path should dereference an
> invariably NULL or wild pointer.

That error message is bogus anyway:

>     if (!found)
>         ereport(ERROR,
>                 (errcode(ERRCODE_UNDEFINED_OBJECT),
>                  errmsg("constraint \"%s\" of domain \"%s\" does not exist",
>                         constrName, NameStr(con->conname))));

It passes con->conname as the name of the domain, which is just wrong. 
It should be TypeNameToString(typename) instead. The second error 
message that follows has the same bug.

--   Heikki Linnakangas  EnterpriseDB   http://www.enterprisedb.com

Re: Potential NULL dereference found in typecmds.c

From

Alvaro Herrera

Date:

04 July 2011, 12:12:46

Excerpts from Heikki Linnakangas's message of lun jul 04 09:14:11 -0400 2011:
> On 04.07.2011 16:07, Peter Geoghegan wrote:

> That error message is bogus anyway:
> 
> >     if (!found)
> >         ereport(ERROR,
> >                 (errcode(ERRCODE_UNDEFINED_OBJECT),
> >                  errmsg("constraint \"%s\" of domain \"%s\" does not exist",
> >                         constrName, NameStr(con->conname))));
> 
> It passes con->conname as the name of the domain, which is just wrong. 
> It should be TypeNameToString(typename) instead. The second error 
> message that follows has the same bug.

Um, evidently this code has a problem.  I'll fix.

-- 
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Re: Potential NULL dereference found in typecmds.c

From

Alvaro Herrera

Date:

05 July 2011, 22:26:40

Excerpts from Alvaro Herrera's message of lun jul 04 11:12:32 -0400 2011:
> Excerpts from Heikki Linnakangas's message of lun jul 04 09:14:11 -0400 2011:
> > On 04.07.2011 16:07, Peter Geoghegan wrote:
> 
> > That error message is bogus anyway:
> > 
> > >     if (!found)
> > >         ereport(ERROR,
> > >                 (errcode(ERRCODE_UNDEFINED_OBJECT),
> > >                  errmsg("constraint \"%s\" of domain \"%s\" does not exist",
> > >                         constrName, NameStr(con->conname))));
> > 
> > It passes con->conname as the name of the domain, which is just wrong. 
> > It should be TypeNameToString(typename) instead. The second error 
> > message that follows has the same bug.
> 
> Um, evidently this code has a problem.  I'll fix.

I forgot to close this: I applied Heikki's suggested fix yesterday.
Thanks for the report.

-- 
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support