Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: C++ semantics - 06.11

>
>
>
Pre New Year Check of PostgreSQL

Pre New Year Check of PostgreSQL

Nov 24 2013
Author:

The year is about to end, and I didn't publish reports about checks of open-source projects for a long time. Programmers asked me to check PostgreSQL Database Management System many times, and I've finally decided to do it. Unfortunately, this article isn't going to be large and interesting, as I found just a few typical bugs in the project. So, the report is pretty short this time.

0227_PostgreSQL/image1.png

PostgreSQL is a free object-relational database management system. PostgreSQL is based on the SQL language and supports many features of the SQL:2003 (ISO/IEC 9075) standard. To learn more about the project, see the Wikipedia article and the project site.

1. Typos when using the memcmp() function

Datum pg_stat_get_activity(PG_FUNCTION_ARGS)
{
  ....
  if (memcmp(&(beentry->st_clientaddr), &zero_clientaddr,
             sizeof(zero_clientaddr) == 0))
  ....
}

PVS-Studio's diagnostic message: V526 The 'memcmp' function returns 0 if corresponding buffers are equal. Consider examining the condition for mistakes. postgres pgstatfuncs.c 712

This line also triggers the V575 warning. I do recommend examining a code line very close if it triggers two or more diagnostic messages. One bug may often refer to different aspects.

Look close at the code and you will notice that one closing parenthesis is in a wrong place. It results in the "sizeof(zero_clientaddr) == 0" expression being passed as the third actual argument of the function.

The same bugs can be found in nearby functions: they must have been cloned throughout the code with the help of copy-paste.

Other similar issues:

  • pgstatfuncs.c 976
  • pgstatfuncs.c 1023

2. An octal number

void RestoreArchive(Archive *AHX)
{
  ....
  AHX->minRemoteVersion = 070100;
  AHX->maxRemoteVersion = 999999;
  ....
}

PVS-Studio's diagnostic message: V536 Be advised that the utilized constant value is represented by an octal form. Oct: 070100, Dec: 28736. pg_dump pg_backup_archiver.c 301

If you examine the code nearby, you'll see that the programmer didn't intend to use an octal number at all. For example:

fout->minRemoteVersion = 70000;

Zero before the number in the first sample must have been added there just to make the code look nicer. But it is this zero that turns the number "070100" into an octal number which equals to 28736.

3. Classics. Making mistakes when working with SOCKET

The SOCKET type is unsigned in the Windows operating system. Many programmers don't know about that or keep forgetting it, making one and the same typical mistake in many projects. The PostgreSQL project is no exception.

typedef UINT_PTR SOCKET;
typedef SOCKET pgsocket;

static int
ident_inet(hbaPort *port)
{
  ....
  pgsocket  sock_fd;
  ....
  sock_fd = socket(ident_serv->ai_family,
                   ident_serv->ai_socktype,
                   ident_serv->ai_protocol);
  if (sock_fd < 0)
  {
  ....
}

PVS-Studio's diagnostic message: V547 Expression 'sock_fd < 0' is always false. Unsigned type value is never < 0. postgres auth.c 1668

The check (sock_fd < 0) is pointless. An unsigned variable cannot be less than zero. The code handling the situation when the socket cannot be opened will never get control.

A few more bugs of that kind:

  • auth.c 1748
  • auth.c 2567
  • pqcomm.c 395
  • pqcomm.c 633
  • postmaster.c 2168

4. Private data erase failure

There are many typical errors occurring when trying to clear memory containing private data. I guess this bug is even more frequent than the trouble with the SOCKET type.

char *
px_crypt_md5(const char *pw, const char *salt,
             char *passwd, unsigned dstlen)
{
  ....
  unsigned char final[MD5_SIZE];
  ....
  /* Don't leave anything around in vm they could use. */
  memset(final, 0, sizeof final);
  ....
}

PVS-Studio's diagnostic message: V597 The compiler could delete the 'memset' function call, which is used to flush 'final' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. pgcrypto crypt-md5.c 157

The comment emphasizes that a certain memory area must be cleared. But that won't happen. The compiler will throw away the call of the memset() function. To learn why it happens and how to fix it, see the rule's description.

There are quite many fragments where private data fail to be erased:

  • fortuna.c 294
  • fortuna.c 344
  • fortuna.c 381
  • internal.c 671
  • pgp-encrypt.c 131
  • pgp-encrypt.c 493
  • pgp-encrypt.c 555
  • pgp-decrypt.c 283
  • pgp-decrypt.c 398
  • pgp-decrypt.c 399
  • pgp-decrypt.c 496
  • pgp-decrypt.c 706
  • pgp-decrypt.c 795
  • pgp-pgsql.c 90
  • pgp-pgsql.c 132
  • px-crypt.c 161
  • pgp-pubkey.c 153
  • pgp-pubkey.c 294
  • pgp-pubkey.c 295

Each of these cases is a potential vulnerability! Non-erased data may get unexpectedly saved to the disk or sent by network. See an article on this subject: Overwriting memory - why?

5. Undefined behavior

static char *
inet_cidr_ntop_ipv6(const u_char *src, int bits,
                    char *dst, size_t size)
{
  ....
  m = ~0 << (8 - b);
  ....
}

PVS-Studio's diagnostic message: V610 Undefined behavior. Check the shift operator '<<. The left operand '~0' is negative. postgres inet_cidr_ntop.c 206

One can't shift negative numbers because it causes undefined behavior. See the article "Wade not in unknown waters. Part three" for details.

Other dangerous shifts:

  • network.c 1435
  • signal.c 118
  • signal.c 125
  • varbit.c 1508
  • varbit.c 1588

6. A typo

static void
AddNewRelationTuple(....)
{
  ....
  new_rel_reltup->relfrozenxid = InvalidTransactionId;
  new_rel_reltup->relfrozenxid = InvalidMultiXactId;
  ....
}

PVS-Studio's diagnostic message: V519 The 'new_rel_reltup->relfrozenxid' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 912, 913. postgres heap.c 913

One variable is assigned two different values. This must be a typo. It is most likely the variable 'new_rel_reltup->relminmxid' that must be assigned a value in the second line.

Conclusion

In case the PostgreSQL project's developers show interest in the PVS-Studio analyzer, we can grant them a free registration key for some time. Please write to us.

And happy New Year!



Comments (0)

Next comments next comments
close comment form