public inbox for [email protected]
help / color / mirror / Atom feedFrom: PG Bug reporting form <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection
Date: Fri, 05 Jun 2026 01:15:40 +0000
Message-ID: <[email protected]> (raw)
The following bug has been logged on the website:
Bug reference: 19511
Logged by: Amjad Shahzad
Email address: [email protected]
PostgreSQL version: 18.4
Operating system: Ubuntu 24.04 x86_64
Description:
I found a NULL pointer dereference in contrib/dblink/dblink.c in the
dblink_get_notify() function. Any user with EXECUTE on the function
can crash their backend process with a single call. Confirmed against master
commit 0392fb900eb.
WHAT IS THE ISSUE
=================
dblink_get_notify() retrieves async notifications from a remote connection.
When called with no arguments it uses the default
(unnamed) connection. If no default connection has been established first,
pconn->conn is NULL. The code assigns this NULL to conn and
then passes it directly to PQconsumeInput() and PQnotifies():
/* line 1893 (master) */
else
conn = pconn->conn; /* NULL — no connection established */
InitMaterializedSRF(fcinfo, 0);
PQconsumeInput(conn); /* passes NULL to libpq */
while ((notify = PQnotifies(conn)) != NULL) /* NULL dereference */
PQnotifies(NULL) dereferences a null pointer internally, causing a backend
SIGSEGV.
Every other function in dblink.c that uses the default connection already
has an explicit NULL guard:
if (!conn)
dblink_conn_not_avail(conname);
dblink_get_notify() is the only function that skips this guard.
WHAT CAN BE COMPROMISED
=========================
Any user with EXECUTE on dblink_get_notify(), granted to PUBLIC by default
can crash their backend process
on demand. No password, no connection, no special privileges required.
In a shared server environment this can be used as a denial-of-service
against a specific session. Combined with
connection pooling or persistent connections it could repeatedly crash
backend processes.
PREREQUISITES
===============
1. Any connected database user
2. EXECUTE on dblink_get_notify (granted to PUBLIC by default)
3. contrib/dblink installed (CREATE EXTENSION dblink)
No dblink connection needed. No password needed.
STEPS TO REPRODUCE
====================
-- STEP 1: Install dblink
CREATE EXTENSION dblink;
-- STEP 2: As any user, call without connecting first
SELECT * FROM dblink_get_notify();
-- Result before fix:
-- server closed the connection unexpectedly
-- SIGSEGV in server log
-- Result after fix:
-- ERROR: connection not available
THE FIX
=======
Add the same NULL guard that every other dblink function already has:
/* BEFORE */
else
conn = pconn->conn;
/* AFTER */
else
{
conn = pconn->conn;
if (!conn)
dblink_conn_not_avail(NULL);
}
4 lines added. Patch attached.
BEHAVIOUR AFTER THE FIX
========================
-- No prior connection:
SELECT * FROM dblink_get_notify();
-- ERROR: connection not available (clean error, no crash)
-- With valid connection:
SELECT * FROM dblink_get_notify('myconn');
-- (0 rows) (works exactly as before)
REGRESSION TEST RESULTS
=========================
$ meson test --suite dblink
1/2 dblink - postgresql:dblink/regress OK (all SQL tests pass)
2/2 dblink - postgresql:dblink/001_auth_scram OK 12 subtests passed
Ok: 2 Fail: 0
$ meson test --suite regress
1/1 regress - postgresql:regress/regress OK 245 subtests passed
Ok: 1 Fail: 0
Tested on: PostgreSQL master 0392fb900eb, Ubuntu 24.04, x86_64.
view thread (5+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox