You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Notes Jonny <jo...@gmail.com> on 2014/10/21 14:21:36 UTC

Re: Coding standards, avoiding vulnerabilities in httpd

On Tue, Sep 16, 2014 at 9:09 PM, Notes Jonny <jo...@gmail.com> wrote:
> Hello
> I had a quick look at httpd 2.4.10 (couldn't find on the website how to site
> how to checkout the trunk)
>
> http://httpd.apache.org/docs/trunk/
>
> Taking this file as an example:
>
> httpd-2.4.10/modules/ssl/ssl_engine_init.c
>
> 1) Doesn't check make_dh_params() "prime" is a non-NULL valid function
> pointer.
>
> 2) DH *modssl_get_dh_params(unsigned keylen).
> "keylen" doesn't have a type. better to write "unsigned int keylen"
>
> 3) ssl_add_version_components() doesn't check "s" and "p" are valid non-NULL
> parameters before using them.
>
> 4) ssl_add_version_components() "modver" "incver" "libver" should probably
> be "const char *"
>
> 5) ssl_init_Module() all pointer params should be checked to be non-NULL,
> and an appropriate error apr_status_t returned (something other than
> APR_SUCCESS)
>
> In my view, worth making these changes. You may already be familiar with
> ISO/IEC TR 24772 which covers these kind of things.
>
> Regards, Jonny

Hello
Would a patch be supported to add these improvements?