Webinar: C++ semantics - 06.11
The year is about to end, and I didn't publish reports about checks of open-source projects for a long time. Programmers asked me to check PostgreSQL Database Management System many times, and I've finally decided to do it. Unfortunately, this article isn't going to be large and interesting, as I found just a few typical bugs in the project. So, the report is pretty short this time.
PostgreSQL is a free object-relational database management system. PostgreSQL is based on the SQL language and supports many features of the SQL:2003 (ISO/IEC 9075) standard. To learn more about the project, see the Wikipedia article and the project site.
Datum pg_stat_get_activity(PG_FUNCTION_ARGS)
{
....
if (memcmp(&(beentry->st_clientaddr), &zero_clientaddr,
sizeof(zero_clientaddr) == 0))
....
}
PVS-Studio's diagnostic message: V526 The 'memcmp' function returns 0 if corresponding buffers are equal. Consider examining the condition for mistakes. postgres pgstatfuncs.c 712
This line also triggers the V575 warning. I do recommend examining a code line very close if it triggers two or more diagnostic messages. One bug may often refer to different aspects.
Look close at the code and you will notice that one closing parenthesis is in a wrong place. It results in the "sizeof(zero_clientaddr) == 0" expression being passed as the third actual argument of the function.
The same bugs can be found in nearby functions: they must have been cloned throughout the code with the help of copy-paste.
Other similar issues:
void RestoreArchive(Archive *AHX)
{
....
AHX->minRemoteVersion = 070100;
AHX->maxRemoteVersion = 999999;
....
}
PVS-Studio's diagnostic message: V536 Be advised that the utilized constant value is represented by an octal form. Oct: 070100, Dec: 28736. pg_dump pg_backup_archiver.c 301
If you examine the code nearby, you'll see that the programmer didn't intend to use an octal number at all. For example:
fout->minRemoteVersion = 70000;
Zero before the number in the first sample must have been added there just to make the code look nicer. But it is this zero that turns the number "070100" into an octal number which equals to 28736.
The SOCKET type is unsigned in the Windows operating system. Many programmers don't know about that or keep forgetting it, making one and the same typical mistake in many projects. The PostgreSQL project is no exception.
typedef UINT_PTR SOCKET;
typedef SOCKET pgsocket;
static int
ident_inet(hbaPort *port)
{
....
pgsocket sock_fd;
....
sock_fd = socket(ident_serv->ai_family,
ident_serv->ai_socktype,
ident_serv->ai_protocol);
if (sock_fd < 0)
{
....
}
PVS-Studio's diagnostic message: V547 Expression 'sock_fd < 0' is always false. Unsigned type value is never < 0. postgres auth.c 1668
The check (sock_fd < 0) is pointless. An unsigned variable cannot be less than zero. The code handling the situation when the socket cannot be opened will never get control.
A few more bugs of that kind:
There are many typical errors occurring when trying to clear memory containing private data. I guess this bug is even more frequent than the trouble with the SOCKET type.
char *
px_crypt_md5(const char *pw, const char *salt,
char *passwd, unsigned dstlen)
{
....
unsigned char final[MD5_SIZE];
....
/* Don't leave anything around in vm they could use. */
memset(final, 0, sizeof final);
....
}
PVS-Studio's diagnostic message: V597 The compiler could delete the 'memset' function call, which is used to flush 'final' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. pgcrypto crypt-md5.c 157
The comment emphasizes that a certain memory area must be cleared. But that won't happen. The compiler will throw away the call of the memset() function. To learn why it happens and how to fix it, see the rule's description.
There are quite many fragments where private data fail to be erased:
Each of these cases is a potential vulnerability! Non-erased data may get unexpectedly saved to the disk or sent by network. See an article on this subject: Overwriting memory - why?
static char *
inet_cidr_ntop_ipv6(const u_char *src, int bits,
char *dst, size_t size)
{
....
m = ~0 << (8 - b);
....
}
PVS-Studio's diagnostic message: V610 Undefined behavior. Check the shift operator '<<. The left operand '~0' is negative. postgres inet_cidr_ntop.c 206
One can't shift negative numbers because it causes undefined behavior. See the article "Wade not in unknown waters. Part three" for details.
Other dangerous shifts:
static void
AddNewRelationTuple(....)
{
....
new_rel_reltup->relfrozenxid = InvalidTransactionId;
new_rel_reltup->relfrozenxid = InvalidMultiXactId;
....
}
PVS-Studio's diagnostic message: V519 The 'new_rel_reltup->relfrozenxid' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 912, 913. postgres heap.c 913
One variable is assigned two different values. This must be a typo. It is most likely the variable 'new_rel_reltup->relminmxid' that must be assigned a value in the second line.
In case the PostgreSQL project's developers show interest in the PVS-Studio analyzer, we can grant them a free registration key for some time. Please write to us.
And happy New Year!
0