| From: | Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp> |
|---|---|
| To: | bianpan2016(at)163(dot)com, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #14928: Unchecked SearchSysCacheCopy1() return value |
| Date: | 2017-11-27 10:21:32 |
| Message-ID: | 85682287-8cdb-03d5-94d3-2b722e3ce968@lab.ntt.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On 2017/11/27 18:13, bianpan2016(at)163(dot)com wrote:
> The following bug has been logged on the website:
>
> Bug reference: 14928
> Logged by: Pan Bian
> Email address: bianpan2016(at)163(dot)com
> PostgreSQL version: 10.1
> Operating system: Linux
> Description:
>
> File: postgresql-10.1/src/backend/commands/tablecmds.c
> Function: ATExecDetachPartition
> Line: 13816
>
> Function SearchSysCacheCopy1() may return a NULL pointer if there is no
> enough memory. But in function ATExecDetachPartition(), its return value is
> not checked, which may result in NULL dereference (see line 13818).
>
> For your convenience, I copy and paste related codes as follows.
>
> 13815 classRel = heap_open(RelationRelationId, RowExclusiveLock);
> 13816 tuple = SearchSysCacheCopy1(RELOID,
> 13817
> ObjectIdGetDatum(RelationGetRelid(partRel)));
> 13818 Assert(((Form_pg_class) GETSTRUCT(tuple))->relispartition);
> 13819
> 13820 (void) SysCacheGetAttr(RELOID, tuple,
> Anum_pg_class_relpartbound,
> 13821 &isnull);
> 13822 Assert(!isnull);
Thanks for the report. Attached a patch that adds a check that tuple is
valid before trying to dereference it.
Thanks,
Amit
| Attachment | Content-Type | Size |
|---|---|---|
| syscache-check-tuple-tablecmds.patch | text/plain | 678 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Langote | 2017-11-27 10:35:35 | Re: BUG #14929: Unchecked AllocateDir() return value in restoreTwoPhaseData() |
| Previous Message | Amit Langote | 2017-11-27 10:20:51 | Re: BUG #14927: Unchecked SearchSysCache1() return value |