Re: Coding standards, avoiding vulnerabilities in httpd
On Tue, Sep 16, 2014 at 9:09 PM, Notes Jonny jong...@gmail.com wrote: Hello I had a quick look at httpd 2.4.10 (couldn't find on the website how to site how to checkout the trunk) http://httpd.apache.org/docs/trunk/ Taking this file as an example: httpd-2.4.10/modules/ssl/ssl_engine_init.c 1) Doesn't check make_dh_params() prime is a non-NULL valid function pointer. 2) DH *modssl_get_dh_params(unsigned keylen). keylen doesn't have a type. better to write unsigned int keylen 3) ssl_add_version_components() doesn't check s and p are valid non-NULL parameters before using them. 4) ssl_add_version_components() modver incver libver should probably be const char * 5) ssl_init_Module() all pointer params should be checked to be non-NULL, and an appropriate error apr_status_t returned (something other than APR_SUCCESS) In my view, worth making these changes. You may already be familiar with ISO/IEC TR 24772 which covers these kind of things. Regards, Jonny Hello Would a patch be supported to add these improvements?
Coding standards, avoiding vulnerabilities in httpd
Hello I had a quick look at httpd 2.4.10 (couldn't find on the website how to site how to checkout the trunk) http://httpd.apache.org/docs/trunk/ Taking this file as an example: httpd-2.4.10/modules/ssl/ssl_engine_init.c 1) Doesn't check make_dh_params() prime is a non-NULL valid function pointer. 2) DH *modssl_get_dh_params(unsigned keylen). keylen doesn't have a type. better to write unsigned int keylen 3) ssl_add_version_components() doesn't check s and p are valid non-NULL parameters before using them. 4) ssl_add_version_components() modver incver libver should probably be const char * 5) ssl_init_Module() all pointer params should be checked to be non-NULL, and an appropriate error apr_status_t returned (something other than APR_SUCCESS) In my view, worth making these changes. You may already be familiar with ISO/IEC TR 24772 which covers these kind of things. Regards, Jonny
Re: Coding standards, avoiding vulnerabilities in httpd
Le 16/09/2014 22:09, Notes Jonny a écrit : Hello I had a quick look at httpd 2.4.10 (couldn't find on the website how to site how to checkout the trunk) See http://httpd.apache.org/dev/devnotes.html CJ