db: avoid calling memcpy on NULL

morehouse · cdecker · commit 45cb2b149c7c · 2023-06-05T16:16:21.000+02:00
It is possible for db_column_bytes() to return 0 and for db_column_blob() to return NULL even when db_column_is_null() returns false. We need to short circuit in this case. Detected by UBSan: db/bindings.c:479:12: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:44:28: note: nonnull attribute specified here #0 0x95f117 in db_col_arr_ db/bindings.c:479:2 #1 0x95ef85 in db_col_channel_type db/bindings.c:459:32 #2 0x852c03 in wallet_stmt2channel wallet/wallet.c:1483:9 #3 0x81f396 in wallet_channels_load_active wallet/wallet.c:1749:23 #4 0x81f03d in wallet_init_channels wallet/wallet.c:1765:9 ElementsProject#5 0x72f1f9 in load_channels_from_wallet lightningd/peer_control.c:2257:7 ElementsProject#6 0x672856 in main lightningd/lightningd.c:1121:25
diff --git a/db/bindings.c b/db/bindings.c
@@ -490,7 +490,8 @@ void *db_col_arr_(const tal_t *ctx, struct db_stmt *stmt, const char *colname,
 			 caller, colname, col, sourcelen, label, bytes);
 
 	p = tal_arr_label(ctx, char, sourcelen, label);
-	memcpy(p, db_column_blob(stmt, col), sourcelen);
+	if (sourcelen != 0)
+		memcpy(p, db_column_blob(stmt, col), sourcelen);
 	return p;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -490,7 +490,8 @@ void db_col_arr_(const tal_t ctx, struct db_stmt stmt, const char colname,`
`490`	`490`	`caller, colname, col, sourcelen, label, bytes);`
`491`	`491`
`492`	`492`	`p = tal_arr_label(ctx, char, sourcelen, label);`
`493`		`- memcpy(p, db_column_blob(stmt, col), sourcelen);`
	`493`	`+ if (sourcelen != 0)`
	`494`	`+ memcpy(p, db_column_blob(stmt, col), sourcelen);`
`494`	`495`	`return p;`
`495`	`496`	`}`
`496`	`497`