Lists: | pgsql-hackers |
---|
From: | Michael Mueller <mmueller(at)vigilantsw(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Potential NULL dereference found in typecmds.c |
Date: | 2011-07-02 18:10:00 |
Message-ID: | BANLkTimJxL4GTprqSqoAJ7ReZs_VkUs72g@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Hi folks,
Sentry found this error last night, and it looks serious enough to
report. The error was introduced in commit 426cafc. Here's the code
in question, starting at line 2096:
if (!found)
{
con = NULL; /* keep compiler quiet */
ereport(ERROR,
(errcode(ERRCODE_UNDEFINED_OBJECT),
errmsg("constraint \"%s\" of domain \"%s\" does not exist",
constrName, NameStr(con->conname))));
}
It sets 'con' to NULL and then in the next statement, dereferences it.
I'm not sure if it's possible to reach this path, but if it is
reachable it will cause a crash.
Best Regards,
Mike
--
Mike Mueller
Phone: (401) 405-1525
Email: mmueller(at)vigilantsw(dot)com
From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Michael Mueller <mmueller(at)vigilantsw(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Potential NULL dereference found in typecmds.c |
Date: | 2011-07-04 12:53:06 |
Message-ID: | CABUevExJoAwFEzUg1schREYJeP98oUT7ftRZrh7oLp6i17s2vw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Sat, Jul 2, 2011 at 20:10, Michael Mueller <mmueller(at)vigilantsw(dot)com> wrote:
> Hi folks,
>
> Sentry found this error last night, and it looks serious enough to
> report. The error was introduced in commit 426cafc. Here's the code
> in question, starting at line 2096:
>
> if (!found)
> {
> con = NULL; /* keep compiler quiet */
> ereport(ERROR,
> (errcode(ERRCODE_UNDEFINED_OBJECT),
> errmsg("constraint \"%s\" of domain \"%s\" does not exist",
> constrName, NameStr(con->conname))));
> }
>
> It sets 'con' to NULL and then in the next statement, dereferences it.
> I'm not sure if it's possible to reach this path, but if it is
> reachable it will cause a crash.
This code is no longer present in git head, *removed* by commit
426cafc. Not added by it. at least that's how I read the history...
However, it still looks to me like we could get to that code with
con=NULL - if the while loop is never executed. Perhaps this is a
can-never-happen situation? Alvaro?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From: | Peter Geoghegan <peter(at)2ndquadrant(dot)com> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Michael Mueller <mmueller(at)vigilantsw(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Potential NULL dereference found in typecmds.c |
Date: | 2011-07-04 13:07:30 |
Message-ID: | CAEYLb_Vw8c=a0menxRbbKpZhiUAnWjq3ATdU0TVv5xdZUVJAmg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On 4 July 2011 13:53, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> This code is no longer present in git head, *removed* by commit
> 426cafc. Not added by it. at least that's how I read the history...
>
> However, it still looks to me like we could get to that code with
> con=NULL - if the while loop is never executed. Perhaps this is a
> can-never-happen situation? Alvaro?
Seems slightly academic IMHO. No code path should dereference an
invariably NULL or wild pointer.
--
Peter Geoghegan http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training and Services
From: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
---|---|
To: | Peter Geoghegan <peter(at)2ndquadrant(dot)com> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Michael Mueller <mmueller(at)vigilantsw(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Potential NULL dereference found in typecmds.c |
Date: | 2011-07-04 13:14:11 |
Message-ID: | 4E11BCA3.1080502@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On 04.07.2011 16:07, Peter Geoghegan wrote:
> On 4 July 2011 13:53, Magnus Hagander<magnus(at)hagander(dot)net> wrote:
>> This code is no longer present in git head, *removed* by commit
>> 426cafc. Not added by it. at least that's how I read the history...
>>
>> However, it still looks to me like we could get to that code with
>> con=NULL - if the while loop is never executed. Perhaps this is a
>> can-never-happen situation? Alvaro?
>
> Seems slightly academic IMHO. No code path should dereference an
> invariably NULL or wild pointer.
That error message is bogus anyway:
> if (!found)
> ereport(ERROR,
> (errcode(ERRCODE_UNDEFINED_OBJECT),
> errmsg("constraint \"%s\" of domain \"%s\" does not exist",
> constrName, NameStr(con->conname))));
It passes con->conname as the name of the domain, which is just wrong.
It should be TypeNameToString(typename) instead. The second error
message that follows has the same bug.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
---|---|
To: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
Cc: | Peter Geoghegan <peter(at)2ndquadrant(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Mueller <mmueller(at)vigilantsw(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Potential NULL dereference found in typecmds.c |
Date: | 2011-07-04 15:12:32 |
Message-ID: | 1309792308-sup-8903@alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Excerpts from Heikki Linnakangas's message of lun jul 04 09:14:11 -0400 2011:
> On 04.07.2011 16:07, Peter Geoghegan wrote:
> That error message is bogus anyway:
>
> > if (!found)
> > ereport(ERROR,
> > (errcode(ERRCODE_UNDEFINED_OBJECT),
> > errmsg("constraint \"%s\" of domain \"%s\" does not exist",
> > constrName, NameStr(con->conname))));
>
> It passes con->conname as the name of the domain, which is just wrong.
> It should be TypeNameToString(typename) instead. The second error
> message that follows has the same bug.
Um, evidently this code has a problem. I'll fix.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
---|---|
To: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
Cc: | Peter Geoghegan <peter(at)2ndquadrant(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Mueller <mmueller(at)vigilantsw(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Potential NULL dereference found in typecmds.c |
Date: | 2011-07-06 01:26:28 |
Message-ID: | 1309915478-sup-8484@alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Excerpts from Alvaro Herrera's message of lun jul 04 11:12:32 -0400 2011:
> Excerpts from Heikki Linnakangas's message of lun jul 04 09:14:11 -0400 2011:
> > On 04.07.2011 16:07, Peter Geoghegan wrote:
>
> > That error message is bogus anyway:
> >
> > > if (!found)
> > > ereport(ERROR,
> > > (errcode(ERRCODE_UNDEFINED_OBJECT),
> > > errmsg("constraint \"%s\" of domain \"%s\" does not exist",
> > > constrName, NameStr(con->conname))));
> >
> > It passes con->conname as the name of the domain, which is just wrong.
> > It should be TypeNameToString(typename) instead. The second error
> > message that follows has the same bug.
>
> Um, evidently this code has a problem. I'll fix.
I forgot to close this: I applied Heikki's suggested fix yesterday.
Thanks for the report.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support