https://bz.apache.org/bugzilla/show_bug.cgi?id=60903
Bug ID: 60903
Summary: PVS-Studio: fixed weaknesses
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: All
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 34868
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34868&action=edit
Patch
I have found and fixed weaknesses CWE-476 (NULL Pointer Dereference) and
CWE-570 (Expression is Always True) using PVS-Studio tool.
Analyzer warnings: V528, V595, V560, V581.
PVS-Studio is a static code analyzer for C, C++ and C#.
Also the analyzer issued several warnings, but I decided not to fix them
because it’s hard for me to say how this code can be edited. I think this
information could be useful for you.
PVS-Studio found zeroing the buffer using memset function (warning V597)
(passwd_common.c, lines 161 and 165
https://github.com/apache/httpd/blob/9a4db4a718a157c86997aea69599e3db4169ab6c/support/passwd_common.c#L161).
The compiler can delete the call of the memset function, then the buffer
remains uncleared (more details can be found in the documentation to the
diagnostic V597 (https://www.viva64.com/en/w/V547/)). This warning corresponds
CWE-14 (Compiler Removal of Code to Clear Buffers). Perhaps, you have your own
safe functions to clear the buffer, but here it was just forgotten.
I 've also attached a patch of the commit.
Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
