You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Chris Wilson <cw...@vigilantsw.com> on 2011/06/09 15:14:20 UTC
Possible uninitialized variable in mod_data.c
Hi Folks,
We recently started using Sentry (static analysis tool) to analyze
apache httpd on a nightly basis. Sentry found a potential unintialized
variable in mod_data.c added in commit 1133582.
I'm not sure if this case is actually possible at runtime, but
I'll describe it here. Note, you can view the file I'm talking
about here,
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c?revision=1133582&view=markup&pathrev=1133582
static apr_status_t data_out_filter(...
{
...
if (!ctx) {
...
// EVENT 1: charset is uninitialized
char *charset;
...
// EVENT 2: Take false path here
if (!ap_is_initial_req(f->r)) {
ap_remove_output_filter(f);
return ap_pass_brigade(f->next, bb);
}
...
type = apr_pstrdup(r->pool, r->content_type);
// EVENT 3: take false path here
if (type) {
charset = strchr(type, ' ');
if (charset) {
*charset++ = 0;
end = strchr(charset, ' ');
if (end) {
*end++ = 0;
}
}
}
// EVENT 4: charset is used uninitialized.
// If it's possible to reach this case, you could potentially
// pass bogus data into the second %s.
apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,",
type ? type : "", charset ? charset : "");
If this case is reachable, I would suggest a patch like this:
- char *charset;
+ char *charset = 0;
Thanks,
Chris
--
Chris Wilson
http://vigilantsw.com/
Vigilant Software, LLC
Re: Possible uninitialized variable in mod_data.c
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Hi Folks,
>
> We recently started using Sentry (static analysis tool) to analyze
> apache httpd on a nightly basis. Sentry found a potential
> unintialized
> variable in mod_data.c added in commit 1133582.
I think our human review machine already caught that one
http://mail-archives.apache.org/mod_mbox/httpd-dev/201106.mbox/%3C4DF07362.3060501@apache.org%3E
> I'm not sure if this case is actually possible at runtime, but
> I'll describe it here. Note, you can view the file I'm talking
> about here,
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c?revision=1133582&view=markup&pathrev=1133582
>
> static apr_status_t data_out_filter(...
> {
> ...
> if (!ctx) {
> ...
> // EVENT 1: charset is uninitialized
> char *charset;
> ...
> // EVENT 2: Take false path here
> if (!ap_is_initial_req(f->r)) {
> ap_remove_output_filter(f);
> return ap_pass_brigade(f->next, bb);
> }
> ...
> type = apr_pstrdup(r->pool, r->content_type);
> // EVENT 3: take false path here
> if (type) {
> charset = strchr(type, ' ');
> if (charset) {
> *charset++ = 0;
> end = strchr(charset, ' ');
> if (end) {
> *end++ = 0;
> }
> }
> }
>
> // EVENT 4: charset is used uninitialized.
> // If it's possible to reach this case, you could potentially
> // pass bogus data into the second %s.
> apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,",
> type ? type : "", charset ? charset : "");
>
> If this case is reachable, I would suggest a patch like this:
>
> - char *charset;
> + char *charset = 0;
>
> Thanks,
> Chris
>
> --
> Chris Wilson
> http://vigilantsw.com/
> Vigilant Software, LLC
>
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/