[GitHub] trafficserver issue #1302: CID 1368306 & 1368305: NULLPTR and security BP in...

[zwoop]

GitHub user zwoop opened an issue:

    https://github.com/apache/trafficserver/issues/1302

    CID 1368306 & 1368305: NULLPTR and security BP in logical.cc

    ```c
    ** CID 1368306:  Security best practices violations  (TOCTOU)
    /proxy/logcat.cc: 299 in main()
    
    
    
________________________________________________________________________________________________________
    *** CID 1368306:  Security best practices violations  (TOCTOU)
    /proxy/logcat.cc: 299 in main()
    293     
    294       if (n_file_arguments) {
    295         int bin_ext_len   = 
strlen(LOG_FILE_BINARY_OBJECT_FILENAME_EXTENSION);
    296         int ascii_ext_len = 
strlen(LOG_FILE_ASCII_OBJECT_FILENAME_EXTENSION);
    297     
    298         for (unsigned i = 0; i < n_file_arguments; ++i) {
       CID 1368306:  Security best practices violations  (TOCTOU)
       Calling function "open" that uses "file_arguments[i]" after a check 
function. This can cause a time-of-check, time-of-use race condition.
    299           int in_fd = open(file_arguments[i], O_RDONLY);
    300           if (in_fd < 0) {
    301             fprintf(stderr, "Error opening input file %s: ", 
file_arguments[i]);
    302             perror(0);
    303             error = DATA_PROCESSING_ERROR;
    304           } else {
    
    ** CID 1368305:  Null pointer dereferences  (REVERSE_INULL)
    /plugins/experimental/money_trace/money_trace.cc: 129 in 
mt_check_request_header(tsapi_httptxn *)()
    
    
    
________________________________________________________________________________________________________
    *** CID 1368305:  Null pointer dereferences  (REVERSE_INULL)
    /plugins/experimental/money_trace/money_trace.cc: 129 in 
mt_check_request_header(tsapi_httptxn *)()
    123             txn_data                                   = 
allocTransactionData();
    124             txn_data->client_request_mt_header         = 
TSstrndup(hdr_value, length);
    125             txn_data->client_request_mt_header[length] = '\0'; // 
workaround for bug in core.
    126             LOG_DEBUG("found money trace header: %s, length: %d", 
txn_data->client_request_mt_header, length);
    127             if (nullptr == (contp = TSContCreate(transaction_handler, 
nullptr))) {
    128               LOG_ERROR("failed to create the transaction handler 
continuation");
       CID 1368305:  Null pointer dereferences  (REVERSE_INULL)
       Null-checking "txn_data" suggests that it may be null, but it has 
already been dereferenced on all paths leading to the check.
    129               if (nullptr != txn_data) {
    130                 TSfree(txn_data->client_request_mt_header);
    131                 TSfree(txn_data);
    132               }
    133             } else {
    134               TSContDataSet(contp, txn_data);
    ```

----

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---