Bug #2583
closedDereference a null pointer
Description
There is below issues of null dereference describes as :
1).
File :lighttpd-1.4.35/src/mod_scgi.c
Issue :Dereferencing a null pointer
Issue Descritption :
Deferencing a null pointers ""s"" which is type of const char *s , if null return by
get_http_version_name(con->request.http_version); and
get_http_method_name(con->request.http_method);
when version name or method name not found.
Solution:
There should be check "s" for NULL return by get_http_version_name() and
get_http_method_name ()"
Note : The Respective patch are attached herewith for your reference .
Files
Updated by pankaj.s01@samsung.com over 10 years ago
- File lighty-1.4.35.patch lighty-1.4.35.patch added
- Status changed from New to Patch Pending
Hello,
Thanks for your's valuable suggestions for lemon.c
here, I have attached patch with "force_assert" for (src/mod_cgi.c and src/mod_scgi.c) :
* get_http_version_name and
* get_http_method_name (if these return NULL )
Updated by gstrauss over 8 years ago
Please mark this ticket fixed. Looks like the second patch was applied in 5c5f67a5 back in Oct 2015.
https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/3047
Note that there are other locations which use get_http_*_name() from keyvalue.[ch] and which do not check for NULL. For a more inclusive fix, perhaps keyvalue.c:keyvalue_get_value() should return "" instead of NULL. Anything which wanted to check for a match could check if (*s != '\0'), though everything which currently calls get_http_*_name() in lighttpd core assumes a non-NULL return value, with a couple locations testing with force_assert(), but most not testing at all.
Updated by stbuehler over 8 years ago
- Status changed from Patch Pending to Fixed
Applied in r3047 (1.4.38)
Updated by stbuehler over 8 years ago
- Related to Bug #2582: Dereference a null pointer added
Updated by stbuehler over 8 years ago
- Related to deleted (Bug #2582: Dereference a null pointer)
Updated by stbuehler over 8 years ago
- Has duplicate Bug #2582: Dereference a null pointer added
Updated by gstrauss over 8 years ago
buffer_copy_string() and buffer_append_string() check if string arg is NULL, so most current use of get_http_*_name() won't crash.
Still an issue: http_auth.c and mod_fastcgi.c do not check for NULL before calling strlen() on results from get_http_method_name() and get_http_version_name().
Submitted https://github.com/lighttpd/lighttpd1.4/pull/25 to add force_assert() for consistency with what is done in mod_scgi.c
Also available in: Atom