The year is about to end, and I didn't publish reports about checks of open-source projects for a long time. Programmers asked me to check PostgreSQL Database Management System many times, and I've finally decided to do it. Unfortunately, this article isn't going to be large and interesting, as I found just a few typical bugs in the project. So, the report is pretty short this time.

PostgreSQL is a free object-relational database management system. PostgreSQL is based on the SQL language and supports many features of the SQL:2003 (ISO/IEC 9075) standard. To learn more about the project, see the Wikipedia article and the project site.

1. Typos when using the memcmp() function

Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { .... if (memcmp(&(beentry->st_clientaddr), &zero_clientaddr, sizeof(zero_clientaddr) == 0)) .... }

PVS-Studio's diagnostic message: V526 The 'memcmp' function returns 0 if corresponding buffers are equal. Consider examining the condition for mistakes. postgres pgstatfuncs.c 712

This line also triggers the V575 warning. I do recommend examining a code line very close if it triggers two or more diagnostic messages. One bug may often refer to different aspects.

Look close at the code and you will notice that one closing parenthesis is in a wrong place. It results in the "sizeof(zero_clientaddr) == 0" expression being passed as the third actual argument of the function.

The same bugs can be found in nearby functions: they must have been cloned throughout the code with the help of copy-paste.

Other similar issues:

pgstatfuncs.c 976

pgstatfuncs.c 1023

2. An octal number

void RestoreArchive(Archive *AHX) { .... AHX->minRemoteVersion = 070100; AHX->maxRemoteVersion = 999999; .... }

PVS-Studio's diagnostic message: V536 Be advised that the utilized constant value is represented by an octal form. Oct: 070100, Dec: 28736. pg_dump pg_backup_archiver.c 301

If you examine the code nearby, you'll see that the programmer didn't intend to use an octal number at all. For example:

fout->minRemoteVersion = 70000;

Zero before the number in the first sample must have been added there just to make the code look nicer. But it is this zero that turns the number "070100" into an octal number which equals to 28736.

3. Classics. Making mistakes when working with SOCKET

The SOCKET type is unsigned in the Windows operating system. Many programmers don't know about that or keep forgetting it, making one and the same typical mistake in many projects. The PostgreSQL project is no exception.

typedef UINT_PTR SOCKET; typedef SOCKET pgsocket; static int ident_inet(hbaPort *port) { .... pgsocket sock_fd; .... sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype, ident_serv->ai_protocol); if (sock_fd < 0) { .... }

PVS-Studio's diagnostic message: V547 Expression 'sock_fd < 0' is always false. Unsigned type value is never < 0. postgres auth.c 1668

The check (sock_fd < 0) is pointless. An unsigned variable cannot be less than zero. The code handling the situation when the socket cannot be opened will never get control.

A few more bugs of that kind:

auth.c 1748

auth.c 2567

pqcomm.c 395

pqcomm.c 633

postmaster.c 2168

4. Private data erase failure

There are many typical errors occurring when trying to clear memory containing private data. I guess this bug is even more frequent than the trouble with the SOCKET type.

char * px_crypt_md5(const char *pw, const char *salt, char *passwd, unsigned dstlen) { .... unsigned char final[MD5_SIZE]; .... /* Don't leave anything around in vm they could use. */ memset(final, 0, sizeof final); .... }

PVS-Studio's diagnostic message: V597 The compiler could delete the 'memset' function call, which is used to flush 'final' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. pgcrypto crypt-md5.c 157

The comment emphasizes that a certain memory area must be cleared. But that won't happen. The compiler will throw away the call of the memset() function. To learn why it happens and how to fix it, see the rule's description.

There are quite many fragments where private data fail to be erased:

fortuna.c 294

fortuna.c 344

fortuna.c 381

internal.c 671

pgp-encrypt.c 131

pgp-encrypt.c 493

pgp-encrypt.c 555

pgp-decrypt.c 283

pgp-decrypt.c 398

pgp-decrypt.c 399

pgp-decrypt.c 496

pgp-decrypt.c 706

pgp-decrypt.c 795

pgp-pgsql.c 90

pgp-pgsql.c 132

px-crypt.c 161

pgp-pubkey.c 153

pgp-pubkey.c 294

pgp-pubkey.c 295

Each of these cases is a potential vulnerability! Non-erased data may get unexpectedly saved to the disk or sent by network. See an article on this subject: Overwriting memory - why?

5. Undefined behavior

static char * inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) { .... m = ~0 << (8 - b); .... }

PVS-Studio's diagnostic message: V610 Undefined behavior. Check the shift operator '<<. The left operand '~0' is negative. postgres inet_cidr_ntop.c 206

One can't shift negative numbers because it causes undefined behavior. See the article "Wade not in unknown waters. Part three" for details.

Other dangerous shifts:

network.c 1435

signal.c 118

signal.c 125

varbit.c 1508

varbit.c 1588

6. A typo

static void AddNewRelationTuple(....) { .... new_rel_reltup->relfrozenxid = InvalidTransactionId; new_rel_reltup->relfrozenxid = InvalidMultiXactId; .... }

PVS-Studio's diagnostic message: V519 The 'new_rel_reltup->relfrozenxid' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 912, 913. postgres heap.c 913

One variable is assigned two different values. This must be a typo. It is most likely the variable 'new_rel_reltup->relminmxid' that must be assigned a value in the second line.

Conclusion

In case the PostgreSQL project's developers show interest in the PVS-Studio analyzer, we can grant them a free registration key for some time. Please write to us.

And happy New Year!