Project

General

Profile

Actions

Bug #2583

closed

Dereference a null pointer

Added by pankaj.s01@samsung.com over 10 years ago. Updated over 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
-
Target version:
-
ASK QUESTIONS IN Forums:

Description

There is below issues of null dereference describes as :
1).
File :lighttpd-1.4.35/src/mod_scgi.c
Issue :Dereferencing a null pointer
Issue Descritption :
Deferencing a null pointers ""s"" which is type of const char *s , if null return by
get_http_version_name(con->request.http_version); and
get_http_method_name(con->request.http_method);
when version name or method name not found.
Solution:
There should be check "s" for NULL return by get_http_version_name() and
get_http_method_name ()"

Note : The Respective patch are attached herewith for your reference .


Files

light-mod_scgi-1.4.35.patch (925 Bytes) light-mod_scgi-1.4.35.patch pankaj.s01@samsung.com, 2014-07-07 12:36
lighty-1.4.35.patch (1.44 KB) lighty-1.4.35.patch pankaj.s01@samsung.com, 2014-07-08 06:20

Related issues 1 (0 open1 closed)

Has duplicate Bug #2582: Dereference a null pointerDuplicate2014-07-072014-07-14Actions
Actions #1

Updated by pankaj.s01@samsung.com over 10 years ago

Hello,
Thanks for your's valuable suggestions for lemon.c
here, I have attached patch with "force_assert" for (src/mod_cgi.c and src/mod_scgi.c) : * get_http_version_name and * get_http_method_name (if these return NULL )

Actions #2

Updated by gstrauss over 8 years ago

Please mark this ticket fixed. Looks like the second patch was applied in 5c5f67a5 back in Oct 2015.
https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/3047

Note that there are other locations which use get_http_*_name() from keyvalue.[ch] and which do not check for NULL. For a more inclusive fix, perhaps keyvalue.c:keyvalue_get_value() should return "" instead of NULL. Anything which wanted to check for a match could check if (*s != '\0'), though everything which currently calls get_http_*_name() in lighttpd core assumes a non-NULL return value, with a couple locations testing with force_assert(), but most not testing at all.

See also https://redmine.lighttpd.net/issues/2584

Actions #3

Updated by stbuehler over 8 years ago

  • Status changed from Patch Pending to Fixed

Applied in r3047 (1.4.38)

Actions #4

Updated by stbuehler over 8 years ago

  • Related to Bug #2582: Dereference a null pointer added
Actions #5

Updated by stbuehler over 8 years ago

  • Related to deleted (Bug #2582: Dereference a null pointer)
Actions #6

Updated by stbuehler over 8 years ago

  • Has duplicate Bug #2582: Dereference a null pointer added
Actions #7

Updated by gstrauss over 8 years ago

buffer_copy_string() and buffer_append_string() check if string arg is NULL, so most current use of get_http_*_name() won't crash.

Still an issue: http_auth.c and mod_fastcgi.c do not check for NULL before calling strlen() on results from get_http_method_name() and get_http_version_name().

Submitted https://github.com/lighttpd/lighttpd1.4/pull/25 to add force_assert() for consistency with what is done in mod_scgi.c

Actions #8

Updated by gstrauss over 8 years ago

additional fixes applied in r3121

Actions

Also available in: Atom