ecpg: Fix NULL pointer dereference during connection lookup

michaelpq · michaelpq · commit 408fe659a890 · 2025-07-22T14:00:10.000+09:00
ECPGconnect() caches established connections to the server, supporting the case of a NULL connection name when a database name is not specified by its caller. A follow-up call to ECPGget_PGconn() to get an established connection from the cached set with a non-NULL name could cause a NULL pointer dereference if a NULL connection was listed in the cache and checked for a match. At least two connections are necessary to reproduce the issue: one with a NULL name and one with a non-NULL name. Author: Aleksander Alekseev <aleksander@tigerdata.com> Discussion: https://postgr.es/m/CAJ7c6TNvFTPUTZQuNAoqgzaSGz-iM4XR61D7vEj5PsQXwg2RyA@mail.gmail.com Backpatch-through: 13
diff --git a/src/interfaces/ecpg/ecpglib/connect.c b/src/interfaces/ecpg/ecpglib/connect.c
@@ -66,7 +66,12 @@ ecpg_get_connection_nr(const char *connection_name)
 
 		for (con = all_connections; con != NULL; con = con->next)
 		{
-			if (strcmp(connection_name, con->name) == 0)
+			/*
+			 * Check for the case of a NULL connection name, stored as such in
+			 * the connection information by ECPGconnect() when the database
+			 * name is not specified by its caller.
+			 */
+			if (con->name != NULL && strcmp(connection_name, con->name) == 0)
 				break;
 		}
 		ret = con;

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,12 @@ ecpg_get_connection_nr(const char *connection_name)`
`66`	`66`
`67`	`67`	`for (con = all_connections; con != NULL; con = con->next)`
`68`	`68`	`{`
`69`		`- if (strcmp(connection_name, con->name) == 0)`
	`69`	`+ /*`
	`70`	`+ * Check for the case of a NULL connection name, stored as such in`
	`71`	`+ * the connection information by ECPGconnect() when the database`
	`72`	`+ * name is not specified by its caller.`
	`73`	`+ */`
	`74`	`+ if (con->name != NULL && strcmp(connection_name, con->name) == 0)`
`70`	`75`	`break;`
`71`	`76`	`}`
`72`	`77`	`ret = con;`