You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/09/09 07:54:05 UTC
[Bug 64726] New: Three NULL Pointer Dereference Bugs with bug traces
https://bz.apache.org/bugzilla/show_bug.cgi?id=64726
Bug ID: 64726
Summary: Three NULL Pointer Dereference Bugs with bug traces
Product: Apache httpd-2
Version: 2.4-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_dav
Assignee: bugs@httpd.apache.org
Reporter: cwangch@connect.ust.hk
Target Milestone: ---
Hi guys,
We have found three NULL Pointer Dereference Bugs as follows. The detail of
each bug is explained.
1. Bug description: `dav_buffer_append` dereferences `str` at line 155 in
`modules/dav/main/util.c`, while `str` is potentially empty string
Root cause: `*fname_p = NULL` in the function `dav_fs_dir_file_name` defined in
`modules/dav/fs/repos.c`
"report 1": {
"Bug Type": "NULL Pointer Dereference",
"CWE ID": "CWE-476",
"tips": [
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_dir_file_name",
"Line": 247
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_dir_file_name",
"Line": 292
},
{
"File": "modules/dav/fs/lock.c",
"Func": "dav_fs_add_locknull_state",
"Line": 936
},
{
"File": "modules/dav/fs/lock.c",
"Func": "dav_fs_add_locknull_state",
"Line": 943
},
{
"File": "modules/dav/main/util.c",
"Func": "dav_buffer_append",
"Line": 155
}
]
}
2. Bug description: `dav_fs_insert_prop` dereferences `info` at line 2000 and
line 2004 in the form `info->name`, while `*info` can be null.
Root cause: Although it is claimed that info is not equal to NULL in the
annotation, we check the feasibility of the control flow path and find that
`modules/dav/main/liveprop.c` can set `*info = NULL` at line 127 in
`dav_get_liveprop_info` defined in `modules/dav/main/liveprop.c`
"report 2": {
"Bug Type": "NULL Pointer Dereference",
"CWE ID": "CWE-476",
"tips": [
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 127
},
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 129
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 1990
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 2000
}
]
}
"report 3": {
"Bug Type": "NULL Pointer Dereference",
"CWE ID": "CWE-476",
"tips": [
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 127
},
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 129
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 1990
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 2004
}
]
}
According to CWE 476, there are several problems with leaving the code with
null references. An attacker can take advantage of the opportunity to introduce
malicious code. In this case, we are not sure of the behavior of the compiler
when faced with a null reference.
Best regards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64726] Three NULL Pointer Dereference Bugs with bug traces
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64726
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
Static analyzer output is not a bug. Please try to turn these into
reproducible bugs, and report reliable reproduction recipes, otherwise do not
put this stuff in Bugzilla. If you want to report static analyzer output to
dev@ that may be of general interest.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org