httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Wilson <cwil...@vigilantsw.com>
Subject Possible uninitialized variable in mod_data.c
Date Thu, 09 Jun 2011 13:14:20 GMT
Hi Folks,

We recently started using Sentry (static analysis tool) to analyze
apache httpd on a nightly basis. Sentry found a potential unintialized
variable in mod_data.c added in commit 1133582.

I'm not sure if this case is actually possible at runtime, but
I'll describe it here. Note, you can view the file I'm talking
about here,
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c?revision=1133582&view=markup&pathrev=1133582

static apr_status_t data_out_filter(...
{
    ...
    if (!ctx) {
        ...
        // EVENT 1: charset is uninitialized
        char *charset;
        ...
        // EVENT 2: Take false path here
        if (!ap_is_initial_req(f->r)) {
            ap_remove_output_filter(f);
            return ap_pass_brigade(f->next, bb);
        }
        ...
        type = apr_pstrdup(r->pool, r->content_type);
        // EVENT 3: take false path here
        if (type) {
            charset = strchr(type, ' ');
            if (charset) {
                *charset++ = 0;
                end = strchr(charset, ' ');
                if (end) {
                    *end++ = 0;
                }
            }
        }

        // EVENT 4: charset is used uninitialized.
        // If it's possible to reach this case, you could potentially
        // pass bogus data into the second %s.
        apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,",
                type ? type : "", charset ? charset : "");

If this case is reachable, I would suggest a patch like this:

- char *charset;
+ char *charset = 0;
                                                                                         
Thanks,                                                                                  
Chris                                                                                    

-- 
Chris Wilson
http://vigilantsw.com/
Vigilant Software, LLC

Mime
View raw message