Обсуждение: [PATCH] Fix missing argument handling in psql getopt

When passing an argument option with a missing argument, strcmp would
be called with the argv terminating NULL.
---
 src/bin/psql/startup.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/bin/psql/startup.c b/src/bin/psql/startup.c
index 4730c73396..cffbfc864e 100644
--- a/src/bin/psql/startup.c
+++ b/src/bin/psql/startup.c
@@ -667,12 +667,13 @@ parse_psql_options(int argc, char *argv[], struct adhoc_opts *options)
                 break;
             case '?':
                 /* Actual help option given */
-                if (strcmp(argv[optind - 1], "-?") == 0)
+                if (optind <= argc &&
+                    strcmp(argv[optind - 1], "-?") == 0)
                 {
                     usage(NOPAGER);
                     exit(EXIT_SUCCESS);
                 }
-                /* unknown option reported by getopt */
+                /* unknown option or missing argument */
                 else
                     goto unknown_option;
                 break;
-- 
2.23.0

Quentin Rameau <quinq@fifth.space> writes:
> When passing an argument option with a missing argument, strcmp would
> be called with the argv terminating NULL.

Um ... so how would control get there with optind too large?
What test case/platform are you considering?

(There really shouldn't be *any* case where getopt advances
optind past argc, imo.)

            regards, tom lane

Hello Tom,

> > When passing an argument option with a missing argument, strcmp
> > would be called with the argv terminating NULL.
>
> Um ... so how would control get there with optind too large?

That's from the getopt specification[0]:

“If the option was the last character in the string pointed to by an
element of argv, then optarg shall contain the next element of argv,
and optind shall be incremented by 2. If the resulting value of optind
is greater than argc, this indicates a missing option-argument, and
getopt() shall return an error indication.”

So in the case of “psql -h“, optarg points to argv[2] and optind is set
to 3 (optind is initialized to 1, then incremented by 2).

> What test case/platform are you considering?

Test case is just running psql -h.
The bug has been exposed by testing psql on musl.

> (There really shouldn't be *any* case where getopt advances
> optind past argc, imo.)

Actually that's the typical error case, as per the specification quoted
above.

[0] https://pubs.opengroup.org/onlinepubs/9699919799/functions/getopt.html

> > Um ... so how would control get there with optind too large?

Sorry, I missed the simple explanation for that:

As option 'h' is missing an argument, getopt(_long) returns the
character '?' which is switched on through variable c, and the program
jumps to the '?' case handling.

Quentin Rameau <quinq@fifth.space> writes:
>> Um ... so how would control get there with optind too large?

> That's from the getopt specification[0]:

> “If the option was the last character in the string pointed to by an
> element of argv, then optarg shall contain the next element of argv,
> and optind shall be incremented by 2. If the resulting value of optind
> is greater than argc, this indicates a missing option-argument, and
> getopt() shall return an error indication.”

Hm, interesting --- glibc doesn't seem to do that (advance optind past
argc), nor do any of the principal BSDen.  I see that this could be
read as requiring it, but it seems like musl is pretty out of step
by reading it that way.

I actually don't care for that code very much and would prefer that
we nuke it entirely, because I think it's assuming more than it ought to
about the meaning of optind: in the case of multiple option letters in one
argv element, it's unspecified exactly when optind advances.  So the other
problem here is that sometimes it's looking at the argv element *before*
the relevant one.  (It's easily demonstrated that this is so with glibc's
getopt().)  Probably that doesn't ever result in wrong behavior in
practice, but it still seems bogus.

The normal case of "psql -?" is handled before we ever get to this code,
so if we just deleted '?' entirely from this logic, it would mostly do
what we want.  The case that would change is, eg,

    psql -f foo -?

where now you get a usage message but you'd just get an "invalid option"
complaint without the special case.  Seeing that none of our other
command-line programs have this special case, I'm not sure why psql
still does.

            regards, tom lane

> > “If the option was the last character in the string pointed to by an
> > element of argv, then optarg shall contain the next element of argv,
> > and optind shall be incremented by 2. If the resulting value of optind
> > is greater than argc, this indicates a missing option-argument, and
> > getopt() shall return an error indication.”
>
> Hm, interesting --- glibc doesn't seem to do that (advance optind past
> argc), nor do any of the principal BSDen.  I see that this could be
> read as requiring it, but it seems like musl is pretty out of step
> by reading it that way.

Yes they don't, but the specification looks pretty clear to me, there's
nothing ambiguous about it.
Now it's a matter of implementation willing to adhere or not to it.

> I actually don't care for that code very much and would prefer that
> we nuke it entirely, because I think it's assuming more than it ought to
> about the meaning of optind: in the case of multiple option letters in one
> argv element, it's unspecified exactly when optind advances.

Yes, optind shouldn't be used this way here.
But it's specified exactly how and when optind advances, following the
above code, which specifies the first use case of separated option and
argument, there's a second case for grouped option and argument:

“Otherwise, optarg shall point to the string following the option
character in that element of argv, and optind shall be incremented by 1.”

> So the other
> problem here is that sometimes it's looking at the argv element *before*
> the relevant one.  (It's easily demonstrated that this is so with glibc's
> getopt().)  Probably that doesn't ever result in wrong behavior in
> practice, but it still seems bogus.
>
> The normal case of "psql -?" is handled before we ever get to this code,
> so if we just deleted '?' entirely from this logic, it would mostly do
> what we want.  The case that would change is, eg,
>
>     psql -f foo -?
>
> where now you get a usage message but you'd just get an "invalid option"
> complaint without the special case.  Seeing that none of our other
> command-line programs have this special case, I'm not sure why psql
> still does.

Another better way, I think, to fix this is to check for optopt
instead, which would be set to the option which caused the error, which
if empty means there isn't an error.

Patch attached.

> Another better way, I think, to fix this is to check for optopt
> instead, which would be set to the option which caused the error, which
> if empty means there isn't an error.
> 
> Patch attached.

Actually OpenBSD seems to set optopt to '?' by default, so the updated
attached patch ensure we start with an empty optopt.

Quentin Rameau <quinq@fifth.space> writes:
> Another better way, I think, to fix this is to check for optopt
> instead, which would be set to the option which caused the error, which
> if empty means there isn't an error.

Meh.  We don't use optopt at all today, and I don't especially want
to start doing so.  A patch that's trying to remove a platform
dependency (which is what this is, pedantic arguments that musl can
read POSIX better than anyone else notwithstanding) should not do
so by introducing hazards of new platform dependencies.

I've pushed your original patch (with some comment-tweaking).
It seems unlikely to break anything.

            regards, tom lane

> I've pushed your original patch (with some comment-tweaking).
> It seems unlikely to break anything.

Thanks!