From: Amjad Shahzad <amjadshahzad2000@gmail.com>
Date: Fri, 05 Jun 2026 00:00:00 +0500
Subject: [PATCH v1] dblink: Fix NULL dereference crash in dblink_get_notify()

dblink_get_notify() retrieves async notifications from a remote
connection. When called with no arguments it uses the default
(unnamed) connection. If no default connection has been established,
pconn->conn is NULL. The code assigned this NULL to conn and then
passed it directly to PQconsumeInput() and PQnotifies() without any
check:

    else
        conn = pconn->conn;   /* NULL if no connection established */

    InitMaterializedSRF(fcinfo, 0);

    PQconsumeInput(conn);     /* passes NULL to libpq */
    while ((notify = PQnotifies(conn)) != NULL)  /* NULL dereference */

PQnotifies(NULL) dereferences a null pointer internally, causing a
backend SIGSEGV. Any user with EXECUTE on the function (granted to
PUBLIC by default) can trigger this with a single call:

    SELECT * FROM dblink_get_notify();

Every other function in dblink.c that uses the default connection
already has an explicit NULL guard via dblink_conn_not_avail().
dblink_get_notify() was the only exception.

Fix by adding the same NULL check used everywhere else in the file.

Regression tests: all 2/2 dblink tests pass with this patch applied
(meson test --suite dblink on master 0392fb900eb).

Reported-by: Amjad Shahzad <amjadshahzad2000@gmail.com>
---
 contrib/dblink/dblink.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c
index d843eee7e97..6e17f86113d 100644
--- a/contrib/dblink/dblink.c
+++ b/contrib/dblink/dblink.c
@@ -1890,7 +1890,11 @@ dblink_get_notify(PG_FUNCTION_ARGS)
 	if (PG_NARGS() == 1)
 		conn = dblink_get_named_conn(text_to_cstring(PG_GETARG_TEXT_PP(0)));
 	else
+	{
 		conn = pconn->conn;
+		if (!conn)
+			dblink_conn_not_avail(NULL);
+	}

 	InitMaterializedSRF(fcinfo, 0);
--
PostgreSQL master-0392fb900eb