Browse Source

fix errors detected by Coverity Scan

fd leak in mod_dirlisting.c
use after free in error condition in mod_proxy.c
NULL pointer dereference in error message in chunk.c

additional minor code changes made to quiet other coverity warnings
personal/stbuehler/mod-csrf-old
Glenn Strauss 5 years ago
parent
commit
879a282de7
  1. 4
      src/chunk.c
  2. 2
      src/configfile-glue.c
  3. 2
      src/connections.c
  4. 2
      src/fdevent.h
  5. 1
      src/mod_dirlisting.c
  6. 3
      src/mod_proxy.c
  7. 1
      src/network.c
  8. 2
      src/request.c
  9. 5
      src/test_configfile.c

4
src/chunk.c

@ -422,7 +422,7 @@ void chunkqueue_steal(chunkqueue *dest, chunkqueue *src, off_t len) {
static chunk *chunkqueue_get_append_tempfile(chunkqueue *cq) {
chunk *c;
buffer *template = buffer_init_string("/var/tmp/lighttpd-upload-XXXXXX");
int fd;
int fd = -1;
if (cq->tempdirs && cq->tempdirs->used) {
/* we have several tempdirs, only if all of them fail we jump out */
@ -488,13 +488,13 @@ int chunkqueue_append_mem_to_tempfile(server *srv, chunkqueue *dest, const char
/* the chunk is too large now, close it */
int rc = close(dst_c->file.fd);
dst_c->file.fd = -1;
dst_c = NULL;
if (0 != rc) {
log_error_write(srv, __FILE__, __LINE__, "sbss",
"close() temp-file", dst_c->file.name, "failed:",
strerror(errno));
return -1;
}
dst_c = NULL;
}
} else {
dst_c = NULL;

2
src/configfile-glue.c

@ -279,7 +279,7 @@ static int config_addrstr_eq_remote_ip_mask(server *srv, const char *addrstr, in
&& IN6_IS_ADDR_V4MAPPED(&val.ipv6.sin6_addr)) {
in_addr_t x = *(in_addr_t *)(val.ipv6.sin6_addr.s6_addr+12);
uint32_t nm =
htonl(~((1u << (32 - (0 != nm_bits ? (nm_bits > 96 ? nm_bits - 96 : 0) : 32))) - 1));
nm_bits < 128 ? htonl(~(~0u >> (nm_bits > 96 ? nm_bits - 96 : 0))) : ~0u;
return ((x & nm) == (rmt->ipv4.sin_addr.s_addr & nm));
} else {
return 0;

2
src/connections.c

@ -290,7 +290,7 @@ static int connection_handle_write_prepare(server *srv, connection *con) {
"</html>\n"
));
http_chunk_append_buffer(srv, con, b);
(void)http_chunk_append_buffer(srv, con, b);
buffer_free(b);
response_header_overwrite(srv, con, CONST_STR_LEN("Content-Type"), CONST_STR_LEN("text/html"));

2
src/fdevent.h

@ -181,7 +181,7 @@ int fdevent_reset(fdevents *ev); /* "init" after fork() */
void fdevent_free(fdevents *ev);
#define fdevent_event_get_interest(ev, fd) \
(-1 != (fd) ? (ev)->fdarray[(fd)]->events : 0)
((fd) >= 0 ? (ev)->fdarray[(fd)]->events : 0)
void fdevent_event_set(fdevents *ev, int *fde_ndx, int fd, int events); /* events can be FDEVENT_IN, FDEVENT_OUT or FDEVENT_IN | FDEVENT_OUT */
void fdevent_event_add(fdevents *ev, int *fde_ndx, int fd, int event); /* events can be FDEVENT_IN or FDEVENT_OUT */
void fdevent_event_clr(fdevents *ev, int *fde_ndx, int fd, int event); /* events can be FDEVENT_IN or FDEVENT_OUT */

1
src/mod_dirlisting.c

@ -504,6 +504,7 @@ static void http_list_directory_include_file(buffer *out, buffer *path, const ch
buffer_append_string_len(out, buf, (size_t)rd);
}
}
close(fd);
if (encode) {
buffer_append_string_len(out, CONST_STR_LEN("</pre>"));

3
src/mod_proxy.c

@ -916,6 +916,7 @@ static handler_t proxy_send_request(server *srv, handler_ctx *hctx) {
} else {
data_proxy *host = hctx->host;
connection *con = hctx->remote_conn;
plugin_data *p = hctx->plugin_data;
log_error_write(srv, __FILE__, __LINE__, "sbdd", "proxy-server disabled:",
host->host,
host->port,
@ -928,7 +929,7 @@ static handler_t proxy_send_request(server *srv, handler_ctx *hctx) {
/* reset the enviroment and restart the sub-request */
con->mode = DIRECT;/*(avoid changing con->state, con->http_status)*/
proxy_connection_close(srv, hctx);
con->mode = hctx->plugin_data->id; /* p->id */
con->mode = p->id;
return HANDLER_COMEBACK;
}

1
src/network.c

@ -344,6 +344,7 @@ static int network_server_init(server *srv, buffer *host_token, specific_config
#ifdef HAVE_SYS_UN_H
if (AF_UNIX == srv_socket->addr.plain.sa_family) {
/* check if the socket exists and try to connect to it. */
force_assert(host); /*(static analysis hint)*/
if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
goto error_free_socket;

2
src/request.c

@ -279,7 +279,7 @@ int http_request_host_normalize(buffer *b) {
char *bracket = b->ptr+blen-1;
int rc;
char buf[INET6_ADDRSTRLEN];
if (blen == 2) return -1; /*(invalid "[]")*/
if (blen <= 2) return -1; /*(invalid "[]")*/
if (*bracket != ']') {
bracket = (char *)memchr(b->ptr+1, ']', blen-1);
if (NULL == bracket || bracket[1] != ':' || bracket - b->ptr == 1){

5
src/test_configfile.c

@ -1,5 +1,6 @@
#include "configfile-glue.c"
#include <assert.h>
#include <stdlib.h>
#include <stdio.h>
@ -42,6 +43,7 @@ const struct {
static void test_configfile_addrbuf_eq_remote_ip_mask (void) {
int i, m;
buffer * const s = buffer_init();
char *slash;
sock_addr rmt;
for (i = 0; i < (int)(sizeof(rmtmask)/sizeof(rmtmask[0])); ++i) {
@ -62,7 +64,8 @@ static void test_configfile_addrbuf_eq_remote_ip_mask (void) {
}
#endif
buffer_copy_string(s, rmtmask[i].string);
m = config_addrbuf_eq_remote_ip_mask(NULL,s,strchr(s->ptr,'/'),&rmt);
slash = strchr(s->ptr,'/'); assert(slash);
m = config_addrbuf_eq_remote_ip_mask(NULL, s, slash, &rmt);
if (m != rmtmask[i].expect) {
fprintf(stderr, "failed assertion: %s %s %s\n",
rmtmask[i].string,

Loading…
Cancel
Save