httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: Possible uninitialized variable in mod_data.c
Date Thu, 09 Jun 2011 21:39:07 GMT


----- Original Message -----
> Hi Folks,
> 
> We recently started using Sentry (static analysis tool) to analyze
> apache httpd on a nightly basis. Sentry found a potential
> unintialized
> variable in mod_data.c added in commit 1133582.


I think our human review machine already caught that one
http://mail-archives.apache.org/mod_mbox/httpd-dev/201106.mbox/%3C4DF07362.3060501@apache.org%3E

> I'm not sure if this case is actually possible at runtime, but
> I'll describe it here. Note, you can view the file I'm talking
> about here,
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c?revision=1133582&view=markup&pathrev=1133582
> 
> static apr_status_t data_out_filter(...
> {
>     ...
>     if (!ctx) {
>         ...
>         // EVENT 1: charset is uninitialized
>         char *charset;
>         ...
>         // EVENT 2: Take false path here
>         if (!ap_is_initial_req(f->r)) {
>             ap_remove_output_filter(f);
>             return ap_pass_brigade(f->next, bb);
>         }
>         ...
>         type = apr_pstrdup(r->pool, r->content_type);
>         // EVENT 3: take false path here
>         if (type) {
>             charset = strchr(type, ' ');
>             if (charset) {
>                 *charset++ = 0;
>                 end = strchr(charset, ' ');
>                 if (end) {
>                     *end++ = 0;
>                 }
>             }
>         }
> 
>         // EVENT 4: charset is used uninitialized.
>         // If it's possible to reach this case, you could potentially
>         // pass bogus data into the second %s.
>         apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,",
>                 type ? type : "", charset ? charset : "");
> 
> If this case is reachable, I would suggest a patch like this:
> 
> - char *charset;
> + char *charset = 0;
>                                                                                     
    
> Thanks,
> Chris
> 
> --
> Chris Wilson
> http://vigilantsw.com/
> Vigilant Software, LLC
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

Mime
View raw message