Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wVMQt-001uEM-0F
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 05 Jun 2026 04:45:23 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wVMQs-00A5x6-05
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 05 Jun 2026 04:45:22 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <masao.fujii@gmail.com>)
	id 1wVMQr-00A5wu-2W
	for pgsql-bugs@lists.postgresql.org;
	Fri, 05 Jun 2026 04:45:21 +0000
Received: from mail-oa1-x36.google.com ([2001:4860:4864:20::36])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <masao.fujii@gmail.com>)
	id 1wVMQq-00000001BG0-0xwW
	for pgsql-bugs@lists.postgresql.org;
	Fri, 05 Jun 2026 04:45:20 +0000
Received: by mail-oa1-x36.google.com with SMTP id
 586e51a60fabf-43d2ff651f2so1407020fac.2
        for <pgsql-bugs@lists.postgresql.org>;
 Thu, 04 Jun 2026 21:45:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780634719; cv=none;
        d=google.com; s=arc-20240605;
        b=D0F65Je5YhrCUtu1kHVT0bpX/pb2B10EVl/+Ws+8fLNqblB5geA/CTkk8SBNu9HQeX
         Y6ES6sT4FuyBdwPOArl9ASdoh5rNwFQElPk+Ko6JM/7ucswavY5TtVIFtcnKwPM6CzFb
         WqbkrqvUbNz334thf0vpu6GE1FnPaoHeoKSEs1Pi9JNf2dV9tHXAcszz2HYpmuSgv7X7
         W+j2+zCKXSbIoqXXHcw8DXS47jBX3kuiapmf2kPxFChgarSSEwr7PyJv3zlEpUjyZD/I
         RxoC0xXG51zKVyZ9nt7JZYTQMd7xQ8u5pD6QfEHesR272s/5oHMYBvwIABZT3JbOoJZN
         QjZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=L5GSwxesJu9PtF18IgRrzkrQhB2lwlI3yfFN5DUcVgk=;
        fh=KZdKKFsPuuIjfuPx1/87O/F62ivrct7APARmXjqxcJk=;
        b=S9sbbZ4E7KsEGH6x0k5gCCfFSiY5kTXFCdDb5+NX5CAtiI6R0QXh1gN6mYZ2Gwa2MF
         R6zqxLGppb2174TjJ4AgNk5Jl90QBaEjwHzbRPXDPBlaEOHQUfEFbBIAhXXx1bQCWRrK
         C6bxCrJTfGG0aZrkTMMpmyW09Pjq3z/gmCa0MjaTmrikSmYGgewwASRCLXoUhvw/AYrv
         x9ZJUqR/0Mk45c8lgSbndtTu8wNGfnoKxi/eh2eicXAro9PHadKtecnvIQYCADWmeL+S
         rFAI50CVXf5TrbaJZ2LUqYaN8Lv4CZtulqBDFOG5be1dXKbaXNURFEYhmS7/dB7rKJpm
         4xlA==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780634719; x=1781239519;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=L5GSwxesJu9PtF18IgRrzkrQhB2lwlI3yfFN5DUcVgk=;
        b=c4oKznQUr5qi0yJyvjtEedNrr5est/yphxCvk9pBNu9KTw9FXZzpwWC+tEJznbdrf2
         KdSD7TJaE1eJpezVrloEgTH+cG+4bIm9z88qLWHxb/f7HUTnknLU+gWP4YFAyk/kt/fU
         YkjQdUxJQ029ocLcJYStl/xbJ1WrlWRNt2p6wrJ9g+WSgoHjtw6UQ/oWj2R5+yIObxek
         xUQQfFyobh2OaUGHt8uqR1ElyLcf1HfcLDdHemQ+93d1z+iWYLDNawsR5phNuJN5WSPm
         2DLUyhwv/ruu3jpXOwsph24tUhrlyY7bkt5DMYgrw0YWkT84Zw2cIcY7bx1sTbV3wH+Y
         lZiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780634719; x=1781239519;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=L5GSwxesJu9PtF18IgRrzkrQhB2lwlI3yfFN5DUcVgk=;
        b=AZelAK9To8f69BwVVzPt8uN0Zpjtg2ehC0+RI9hKclCrUQMcrDqzXzYFqGO0ByhBPU
         lwhJoDzdRmt1rfdDQEXDls/a5QyC1sLi7uN6y6+N5aUStUbshqYii6QdPREfddSZIxTN
         YsV99TQzTatmNJ6N/tdLOmh9hbm5GXQ9rwUy7ZLCMaryFhTebKrpENDuQ+xIjaG3VYio
         BIHoofe//Rs2T5nWAeDIYakv0ETb/mrYPc6Vfk8Q5VAMayQ4ajkU2muVl6oPF7tFGql2
         yjJzXNXHxNHoNvGy+5GSLlkL9BAp5crEeX028779EzfGPsa0pLXqNcR45ANkRGdpZkfS
         IMGg==
X-Gm-Message-State: AOJu0YyZNPaeAnPGb71mB2vyi2B9VPXm+6+f7t5whj7IMTcLBjvRonsv
	QQ6U7PrzIdgQ8TpgOhE1h2ymKNnpvInLbxJsOKC5BhCrs+rTtsDcQ6L4ka7rbTwof/z3jLu8E6r
	nvLLxWaxBEFDSV4X16EQ1qDIKn0esYQ4=
X-Gm-Gg: Acq92OF2NG9//eF7fIAel2XKqIA5czeX8rMZztD/HzjxOLWVUGl17DEAzXMZFC5BXuY
	m9oRIMjYQG0Ix3wDga+eCZYEMPgQLHS5/f/ysr+hyvs0ry1Ft8ZNjh9I7eXrdPe9fUAYxmKyY2D
	1Yg487Dx9XyNVMQMJFZq5+bzj189ezl/YRXyMswzFuGToxZ2Ce6tnr/K80WmeXyWPUxrgp6a1Fs
	4iC1e5I+kas603+YgZ3pyjBK0uEeJ/ppf13JdoT0m+mTnmLBDEzdU3kRt794wTfNHF5RPPnOHwk
	rWji5yP+BKDQSLU71vIjKvccCF+KmRtao09VKCfrfuSK7RdFVFw=
X-Received: by 2002:a05:6820:2088:b0:69d:bfe4:71e6 with SMTP id
 006d021491bc7-69e68c645b1mr1065993eaf.45.1780634719372; Thu, 04 Jun 2026
 21:45:19 -0700 (PDT)
MIME-Version: 1.0
References: <19511-f9f251767b658232@postgresql.org>
 <CADHzGZRAxFYoxMC+g6pEJ0FL0bfVhFi+y0jQ0cRNCC5hFjvJ3Q@mail.gmail.com>
In-Reply-To: 
 <CADHzGZRAxFYoxMC+g6pEJ0FL0bfVhFi+y0jQ0cRNCC5hFjvJ3Q@mail.gmail.com>
From: Fujii Masao <masao.fujii@gmail.com>
Date: Fri, 5 Jun 2026 13:45:06 +0900
X-Gm-Features: AVVi8CewYprKWyxjPS78oW50l8FjveAwPzIARbwpOz3ZdqQUy32hvh-0wtVbtiM
Message-ID: 
 <CAHGQGwGt5qAAjgQONmC_sk=O9YtnXxPD12YOy_DODpixPXKU8A@mail.gmail.com>
Subject: Re: BUG #19511: contrib/dblink: NULL dereference in
 dblink_get_notify() when called without a prior connection
To: Amjad Shahzad <amjadshahzad2000@gmail.com>
Cc: pgsql-bugs@lists.postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: 
 <https://www.postgresql.org/message-id/CAHGQGwGt5qAAjgQONmC_sk%3DO9YtnXxPD12YOy_DODpixPXKU8A%40mail.gmail.com>
Precedence: bulk

On Fri, Jun 5, 2026 at 10:20=E2=80=AFAM Amjad Shahzad
<amjadshahzad2000@gmail.com> wrote:
>> I found a NULL pointer dereference in contrib/dblink/dblink.c in the
>> dblink_get_notify() function. Any user with EXECUTE on the function
>> can crash their backend process with a single call. Confirmed against ma=
ster
>> commit 0392fb900eb.
>>
>> WHAT IS THE ISSUE
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> dblink_get_notify() retrieves async notifications from a remote connecti=
on.
>> When called with no arguments it uses the default
>> (unnamed) connection. If no default connection has been established firs=
t,
>> pconn->conn is NULL. The code assigns this NULL to conn and
>> then passes it directly to PQconsumeInput() and PQnotifies():
>>
>>     /* line 1893 (master) */
>>     else
>>         conn =3D pconn->conn;      /* NULL =E2=80=94 no connection estab=
lished */
>>
>>     InitMaterializedSRF(fcinfo, 0);
>>
>>     PQconsumeInput(conn);        /* passes NULL to libpq */
>>     while ((notify =3D PQnotifies(conn)) !=3D NULL)  /* NULL dereference=
 */
>>
>> PQnotifies(NULL) dereferences a null pointer internally, causing a backe=
nd
>> SIGSEGV.

Can this segmentation fault actually happen?

PQconsumeInput() and PQnotifies() both simply return immediately when
conn =3D=3D NULL. So even if dblink_get_notify() calls them with a NULL con=
n,
it doesn't seem like that would lead to a segmentation fault.
Am I missing something?

Regards,

--=20
Fujii Masao