libpq: Poison the v2 part of a v1 Bearer request The new PGoauthBearerRequestV2 API (which has similarities to the "subclass" pointer architecture in use by the backend, for Nodes) carries the risk of a developer ignoring the type of hook in use and just casting directly to the V2 struct. This will appear to work fine in 19, but crash (or worse) when speaking to libpq 18.
However, we're in a unique position to catch this problem, because we have tight control over the struct. Add poisoning code to the v1 path which does the following: - masks the v2 request->issuer pointer, to hopefully point at nonsense memory - abort()s if the v2 request->error is assigned by the hook - attempts to cover both with VALGRIND_MAKE_MEM_NOACCESS for the duration of the callback (a potential AddressSanitizer implementation is left for future work) The struct is unpoisoned after the call, so we can switch back to the v2 internal implementation when necessary. Reviewed-by: Zsolt Parragi <[email protected]> Reviewed-by: Chao Li <[email protected]> Discussion: https://postgr.es/m/CAOYmi%2BnCg5upBVOo_UCSjMfO%3DYMkZXcSEsgaADKXqerr5wahZQ%40mail.gmail.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/0af4d402cb900364f275cc6f9c28dca4a5bec36b Modified Files -------------- src/interfaces/libpq/fe-auth-oauth.c | 142 ++++++++++++++++++++++++++++++++--- src/interfaces/libpq/fe-auth-oauth.h | 1 + 2 files changed, 134 insertions(+), 9 deletions(-)
