Mark PQfn() unsafe and fix overrun in frontend LO interface.

When result_is_int is set to 0, PQfn() cannot validate that the
result fits in result_buf, so it will write data beyond the end of
the buffer when the server returns more data than requested.  Since
this function is insecurable and obsolete, add a warning to the top
of the pertinent documentation advising against its use.

The only in-tree caller of PQfn() is the frontend large object
interface.  To fix that, add a buf_size parameter to
pqFunctionCall3() that is used to protect against overruns, and use
it in a private version of PQfn() that also accepts a buf_size
parameter.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Reported-by: Martin Heistermann <martin.heistermann@unibe.ch>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Etsuro Fujita <etsuro.fujita@gmail.com>
Security: CVE-2026-6477
Backpatch-through: 14

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index e438b3ce8108024fd2ddcb28fc5aad71b89fc7df..88449b295d94d46ba5b43532afa0955d2e3ca02a 100644 (file)
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5722,15 +5722,20 @@ int PQrequestCancel(PGconn *conn);
    to send simple function calls to the server.
   </para>
 
-  <tip>
+  <warning>
    <para>
-    This interface is somewhat obsolete, as one can achieve similar
+    This interface is unsafe and should not be used.  When
+    <parameter>result_is_int</parameter> is set to <literal>0</literal>,
+    <function>PQfn</function> may write data beyond the end of
+    <parameter>result_buf</parameter>, regardless of whether the buffer has
+    enough space for the requested number of bytes.  Furthermore, it is
+    obsolete, as one can achieve similar
     performance and greater functionality by setting up a prepared
     statement to define the function call.  Then, executing the statement
     with binary transmission of parameters and results substitutes for a
     fast-path function call.
    </para>
-  </tip>
+  </warning>
 
   <para>
    The function <function id="libpq-PQfn">PQfn</function><indexterm><primary>PQfn</primary></indexterm>

diff --git a/src/interfaces/libpq/fe-exec.c b/src/interfaces/libpq/fe-exec.c
index 05ee0fc9eca6b5a958b531cf7f51a7d34b86e30b..31f1de2b434369e58e8810d40f3149165c4830c0 100644 (file)
--- a/src/interfaces/libpq/fe-exec.c
+++ b/src/interfaces/libpq/fe-exec.c
@@ -2884,6 +2884,20 @@ PQfn(PGconn *conn,
         int result_is_int,
         const PQArgBlock *args,
         int nargs)
+{
+       return PQnfn(conn, fnid, result_buf, -1, result_len,
+                                result_is_int, args, nargs);
+}
+
+/*
+ * PQnfn
+ *             Private version of PQfn() with verification that returned data fits in
+ *             result_buf when result_is_int == 0.  Setting buf_size to -1 disables
+ *             this verification.
+ */
+PGresult *
+PQnfn(PGconn *conn, int fnid, int *result_buf, int buf_size, int *result_len,
+         int result_is_int, const PQArgBlock *args, int nargs)
 {
        *result_len = 0;
 
@@ -2911,7 +2925,7 @@ PQfn(PGconn *conn,
        }
 
        return pqFunctionCall3(conn, fnid,
-                                                  result_buf, result_len,
+                                                  result_buf, buf_size, result_len,
                                                   result_is_int,
                                                   args, nargs);
 }

diff --git a/src/interfaces/libpq/fe-lobj.c b/src/interfaces/libpq/fe-lobj.c
index ffd9926dc4e19ec36c1cc00e71e36b910d79d02c..9c18b6b119daffccabff379a858b043a3cf0bf80 100644 (file)
--- a/src/interfaces/libpq/fe-lobj.c
+++ b/src/interfaces/libpq/fe-lobj.c
@@ -275,8 +275,8 @@ lo_read(PGconn *conn, int fd, char *buf, size_t len)
        argv[1].len = 4;
        argv[1].u.integer = (int) len;
 
-       res = PQfn(conn, conn->lobjfuncs->fn_lo_read,
-                          (void *) buf, &result_len, 0, argv, 2);
+       res = PQnfn(conn, conn->lobjfuncs->fn_lo_read,
+                               (void *) buf, len, &result_len, 0, argv, 2);
        if (PQresultStatus(res) == PGRES_COMMAND_OK)
        {
                PQclear(res);
@@ -418,8 +418,8 @@ lo_lseek64(PGconn *conn, int fd, pg_int64 offset, int whence)
        argv[2].len = 4;
        argv[2].u.integer = whence;
 
-       res = PQfn(conn, conn->lobjfuncs->fn_lo_lseek64,
-                          (void *) &retval, &result_len, 0, argv, 3);
+       res = PQnfn(conn, conn->lobjfuncs->fn_lo_lseek64,
+                               (void *) &retval, sizeof(retval), &result_len, 0, argv, 3);
        if (PQresultStatus(res) == PGRES_COMMAND_OK && result_len == 8)
        {
                PQclear(res);
@@ -574,8 +574,8 @@ lo_tell64(PGconn *conn, int fd)
        argv[0].len = 4;
        argv[0].u.integer = fd;
 
-       res = PQfn(conn, conn->lobjfuncs->fn_lo_tell64,
-                          (void *) &retval, &result_len, 0, argv, 1);
+       res = PQnfn(conn, conn->lobjfuncs->fn_lo_tell64,
+                               (void *) &retval, sizeof(retval), &result_len, 0, argv, 1);
        if (PQresultStatus(res) == PGRES_COMMAND_OK && result_len == 8)
        {
                PQclear(res);

diff --git a/src/interfaces/libpq/fe-protocol3.c b/src/interfaces/libpq/fe-protocol3.c
index 6eafbe84fc4a9fba9881307b04393f812e2d9bd9..1d0199132970192d50f4472ad18dfd82c5c1a63a 100644 (file)
--- a/src/interfaces/libpq/fe-protocol3.c
+++ b/src/interfaces/libpq/fe-protocol3.c
@@ -1968,7 +1968,7 @@ pqEndcopy3(PGconn *conn)
  */
 PGresult *
 pqFunctionCall3(PGconn *conn, Oid fnid,
-                               int *result_buf, int *actual_result_len,
+                               int *result_buf, int buf_size, int *actual_result_len,
                                int result_is_int,
                                const PQArgBlock *args, int nargs)
 {
@@ -2102,6 +2102,18 @@ pqFunctionCall3(PGconn *conn, Oid fnid,
                                        }
                                        else
                                        {
+                                               /*
+                                                * If the server returned too much data for the
+                                                * buffer, something fishy is going on.  Abandon ship.
+                                                */
+                                               if (buf_size != -1 && *actual_result_len > buf_size)
+                                               {
+                                                       appendPQExpBufferStr(&conn->errorMessage,
+                                                                                                libpq_gettext("server returned too much data\n"));
+                                                       handleSyncLoss(conn, id, *actual_result_len);
+                                                       return pqPrepareAsyncResult(conn);
+                                               }
+
                                                if (pqGetnchar((char *) result_buf,
                                                                           *actual_result_len,
                                                                           conn))

diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 85d298d433d03a1835110d1d2ae71705e65e3eca..6f34adb9f705cc76c7afdbfb38f71a407c3eb3be 100644 (file)
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -669,6 +669,9 @@ extern int  pqRowProcessor(PGconn *conn, const char **errmsgp);
 extern void pqCommandQueueAdvance(PGconn *conn, bool isReadyForQuery,
                                                                  bool gotSync);
 extern int     PQsendQueryContinue(PGconn *conn, const char *query);
+extern PGresult *PQnfn(PGconn *conn, int fnid, int *result_buf, int buf_size,
+                                          int *result_len, int result_is_int,
+                                          const PQArgBlock *args, int nargs);
 
 /* === in fe-protocol3.c === */
 
@@ -683,7 +686,8 @@ extern int  pqGetline3(PGconn *conn, char *s, int maxlen);
 extern int     pqGetlineAsync3(PGconn *conn, char *buffer, int bufsize);
 extern int     pqEndcopy3(PGconn *conn);
 extern PGresult *pqFunctionCall3(PGconn *conn, Oid fnid,
-                                                                int *result_buf, int *actual_result_len,
+                                                                int *result_buf, int buf_size,
+                                                                int *actual_result_len,
                                                                 int result_is_int,
                                                                 const PQArgBlock *args, int nargs);