You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Christophe JAILLET <ch...@wanadoo.fr> on 2012/07/15 12:04:57 UTC

mod_cgid and accept

Hi,

looking around for static analysis tools, I arrived on a commercial 
software that states that is has already found some mistakes in httpd.

Reading it, I noticed one of their example found in libhttpd. This 
example was against return value from 'accept'.

I looked in httpd for similar construction, and found one in 
modules\generators\mod_cgid.c:
 >>>>>>>>>>>>>>
    sd2 = accept(sd, (struct sockaddr *)&unix_addr, &len);
    if (sd2 < 0) {
 >>>>>>>>>>>>>>


According to http://www.viva64.com/en/b/0105/ (search in the page for 
libhttpd to see their explanation), return value of 'accept' should not 
be tested for negative values, at least on windows.


I don't know if it is really an issue or not, I just wanted to point it 
out in case of interest for a httpd/socket/windows guru.


Is there any chance for 
(https://issues.apache.org/bugzilla/show_bug.cgi?id=52476) to be related 
to it ?


Best regards,
Christophe Jaillet

Re: mod_cgid and accept

Posted by Jeff Trawick <tr...@gmail.com>.

On Sun, Jul 15, 2012 at 4:04 AM, Christophe JAILLET
<ch...@wanadoo.fr> wrote:
> Hi,
>
> looking around for static analysis tools, I arrived on a commercial software
> that states that is has already found some mistakes in httpd.
>
> Reading it, I noticed one of their example found in libhttpd. This example
> was against return value from 'accept'.
>
> I looked in httpd for similar construction, and found one in
> modules\generators\mod_cgid.c:
>>>>>>>>>>>>>>>
>    sd2 = accept(sd, (struct sockaddr *)&unix_addr, &len);
>    if (sd2 < 0) {
>>>>>>>>>>>>>>>

mod_cgid isn't written for Windows.  There are plenty of other
Unix-isms as well.

>
>
> According to http://www.viva64.com/en/b/0105/ (search in the page for
> libhttpd to see their explanation), return value of 'accept' should not be
> tested for negative values, at least on windows.
>
>
> I don't know if it is really an issue or not, I just wanted to point it out
> in case of interest for a httpd/socket/windows guru.
>
>
> Is there any chance for
> (https://issues.apache.org/bugzilla/show_bug.cgi?id=52476) to be related to
> it ?
>
>
> Best regards,
> Christophe Jaillet
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: mod_cgid and accept

Posted by Christophe JAILLET <ch...@wanadoo.fr>.

Le 15/07/2012 12:24, Tom Browder a écrit :
> On Sun, Jul 15, 2012 at 5:04 AM, Christophe JAILLET
> <ch...@wanadoo.fr> wrote:
>> Hi,
>>
>> looking around for static analysis tools, I arrived on a commercial software
>> that states that is has already found some mistakes in httpd.
> Christophe brings up a good point.  Has the httpd project ever had its
> code analyzed by Coverity?  If not, it should be eligible for a free
> scan.  See the bottom of this page for a free scan request:
>
>    http://www.coverity.com/products/static-analysis.html
>
> Best regards,
>
> -Tom
>
http://scan.coverity.com/rungAll.html, apache is there, in rung 1, but I 
don't know who has access to the result of the scan.

Christophe Jaillet

Re: mod_cgid and accept

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 7/15/2012 3:24 AM, Tom Browder wrote:
> On Sun, Jul 15, 2012 at 5:04 AM, Christophe JAILLET
> <ch...@wanadoo.fr> wrote:
>> Hi,
>>
>> looking around for static analysis tools, I arrived on a commercial software
>> that states that is has already found some mistakes in httpd.
> 
> Christophe brings up a good point.  Has the httpd project ever had its
> code analyzed by Coverity?  If not, it should be eligible for a free
> scan.  See the bottom of this page for a free scan request:
> 
>   http://www.coverity.com/products/static-analysis.html

Often.  Occasionally someone discovers an actually interesting bit of source
which has a potential security implication, and sends us a report on the
security@httpd list.

Re: mod_cgid and accept

Posted by Tom Browder <to...@gmail.com>.

On Sun, Jul 15, 2012 at 5:04 AM, Christophe JAILLET
<ch...@wanadoo.fr> wrote:
> Hi,
>
> looking around for static analysis tools, I arrived on a commercial software
> that states that is has already found some mistakes in httpd.

Christophe brings up a good point.  Has the httpd project ever had its
code analyzed by Coverity?  If not, it should be eligible for a free
scan.  See the bottom of this page for a free scan request:

  http://www.coverity.com/products/static-analysis.html

Best regards,

-Tom