Re: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Fujii Masao <[email protected]>
To: Amjad Shahzad <[email protected]>
Cc: [email protected]
Subject: Re: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection
Date: Fri, 5 Jun 2026 13:45:06 +0900
Message-ID: <CAHGQGwGt5qAAjgQONmC_sk=O9YtnXxPD12YOy_DODpixPXKU8A@mail.gmail.com> (raw)
In-Reply-To: <CADHzGZRAxFYoxMC+g6pEJ0FL0bfVhFi+y0jQ0cRNCC5hFjvJ3Q@mail.gmail.com>
References: <[email protected]>
	<CADHzGZRAxFYoxMC+g6pEJ0FL0bfVhFi+y0jQ0cRNCC5hFjvJ3Q@mail.gmail.com>

On Fri, Jun 5, 2026 at 10:20 AM Amjad Shahzad
<[email protected]> wrote:
>> I found a NULL pointer dereference in contrib/dblink/dblink.c in the
>> dblink_get_notify() function. Any user with EXECUTE on the function
>> can crash their backend process with a single call. Confirmed against master
>> commit 0392fb900eb.
>>
>> WHAT IS THE ISSUE
>> =================
>> dblink_get_notify() retrieves async notifications from a remote connection.
>> When called with no arguments it uses the default
>> (unnamed) connection. If no default connection has been established first,
>> pconn->conn is NULL. The code assigns this NULL to conn and
>> then passes it directly to PQconsumeInput() and PQnotifies():
>>
>>     /* line 1893 (master) */
>>     else
>>         conn = pconn->conn;      /* NULL — no connection established */
>>
>>     InitMaterializedSRF(fcinfo, 0);
>>
>>     PQconsumeInput(conn);        /* passes NULL to libpq */
>>     while ((notify = PQnotifies(conn)) != NULL)  /* NULL dereference */
>>
>> PQnotifies(NULL) dereferences a null pointer internally, causing a backend
>> SIGSEGV.

Can this segmentation fault actually happen?

PQconsumeInput() and PQnotifies() both simply return immediately when
conn == NULL. So even if dblink_get_notify() calls them with a NULL conn,
it doesn't seem like that would lead to a segmentation fault.
Am I missing something?

Regards,

-- 
Fujii Masao

view thread (5+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection
  In-Reply-To: <CAHGQGwGt5qAAjgQONmC_sk=O9YtnXxPD12YOy_DODpixPXKU8A@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox