db: avoid calling memcpy on NULL

It is possible for db_column_bytes() to return 0 and for db_column_blob() to return NULL even when db_column_is_null() returns false. We need to short circuit in this case. Detected by UBSan: db/bindings.c:479:12: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:44:28: note: nonnull attribute specified here #0 0x95f117 in db_col_arr_ db/bindings.c:479:2 #1 0x95ef85 in db_col_channel_type db/bindings.c:459:32 #2 0x852c03 in wallet_stmt2channel wallet/wallet.c:1483:9 #3 0x81f396 in wallet_channels_load_active wallet/wallet.c:1749:23 #4 0x81f03d in wallet_init_channels wallet/wallet.c:1765:9 ElementsProject#5 0x72f1f9 in load_channels_from_wallet lightningd/peer_control.c:2257:7 ElementsProject#6 0x672856 in main lightningd/lightningd.c:1121:25
morehouse · Apr 12, 2023 · 8fe6a42 · 8fe6a42
1 parent e8dc899
commit 8fe6a42
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/db/bindings.c b/db/bindings.c
@@ -466,10 +466,9 @@ void *db_col_arr_(const tal_t *ctx, struct db_stmt *stmt, const char *colname,
 	size_t sourcelen;
 	void *p;
 
-	if (db_column_is_null(stmt, col))
-		return NULL;
-
 	sourcelen = db_column_bytes(stmt, col);
+	if (sourcelen == 0)
+		return NULL;
 
 	if (sourcelen % bytes != 0)
 		db_fatal("%s: %s/%zu column size for %zu not a multiple of %s (%zu)",