Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A1C32611F for ; Thu, 9 Jun 2011 21:39:36 +0000 (UTC) Received: (qmail 16426 invoked by uid 500); 9 Jun 2011 21:39:35 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 16354 invoked by uid 500); 9 Jun 2011 21:39:35 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 16346 invoked by uid 99); 9 Jun 2011 21:39:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Jun 2011 21:39:35 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of i.galic@brainsware.org designates 188.40.115.121 as permitted sender) Received: from [188.40.115.121] (HELO mail.brainsware.org) (188.40.115.121) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Jun 2011 21:39:30 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.brainsware.org (Postfix) with ESMTP id 5D8826C00A for ; Thu, 9 Jun 2011 21:39:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at brainsware.org Received: from mail.brainsware.org ([127.0.0.1]) by localhost (mail.brainsware.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYo8cwsnikQ5 for ; Thu, 9 Jun 2011 21:39:07 +0000 (UTC) Received: from mail.brainsware.org (mail.brainsware.org [188.40.115.121]) by mail.brainsware.org (Postfix) with ESMTP id 665226C003 for ; Thu, 9 Jun 2011 21:39:07 +0000 (UTC) Date: Thu, 09 Jun 2011 21:39:07 -0000 (UTC) From: Igor =?utf-8?Q?Gali=C4=87?= To: dev@httpd.apache.org Subject: Re: Possible uninitialized variable in mod_data.c Message-ID: In-Reply-To: <20110609131419.GA30290@localhost> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Originating-IP: [91.130.91.89] X-Mailer: Zimbra 7.0.0_GA_3077 (ZimbraWebClient - FF3.0 (Linux)/7.0.0_GA_3077) ----- Original Message ----- > Hi Folks, > > We recently started using Sentry (static analysis tool) to analyze > apache httpd on a nightly basis. Sentry found a potential > unintialized > variable in mod_data.c added in commit 1133582. I think our human review machine already caught that one http://mail-archives.apache.org/mod_mbox/httpd-dev/201106.mbox/%3C4DF07362.= 3060501@apache.org%3E > I'm not sure if this case is actually possible at runtime, but > I'll describe it here. Note, you can view the file I'm talking > about here, > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c= ?revision=3D1133582&view=3Dmarkup&pathrev=3D1133582 > > static apr_status_t data_out_filter(... > { > ... > if (!ctx) { > ... > // EVENT 1: charset is uninitialized > char *charset; > ... > // EVENT 2: Take false path here > if (!ap_is_initial_req(f->r)) { > ap_remove_output_filter(f); > return ap_pass_brigade(f->next, bb); > } > ... > type =3D apr_pstrdup(r->pool, r->content_type); > // EVENT 3: take false path here > if (type) { > charset =3D strchr(type, ' '); > if (charset) { > *charset++ =3D 0; > end =3D strchr(charset, ' '); > if (end) { > *end++ =3D 0; > } > } > } > > // EVENT 4: charset is used uninitialized. > // If it's possible to reach this case, you could potentially > // pass bogus data into the second %s. > apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,", > type ? type : "", charset ? charset : ""); > > If this case is reachable, I would suggest a patch like this: > > - char *charset; > + char *charset =3D 0; > = > Thanks, > Chris > > -- > Chris Wilson > http://vigilantsw.com/ > Vigilant Software, LLC > -- Igor Gali=C4=87 Tel: +43 (0) 664 886 22 883 Mail: i.galic@brainsware.org URL: http://brainsware.org/