search

lpereira / lwan

Experimental, scalable, high performance HTTP server
https://lwan.ws
GNU General Public License v2.0
5.92k stars 549 forks source link

Null pointer deference on function timeouts_get #288

Closed ycaibb closed 4 years ago

ycaibb commented 4 years ago

The function is on lwan/src/lib/timeout.c.

struct timeout *timeouts_get(struct timeouts *T)
{
    if (!list_empty(&T->expired)) {
        struct timeout *to = list_top(&T->expired, struct timeout, tqe); // the variable to can be null

        list_del_from(&T->expired, &to->tqe); //deference here
        to->pending = NULL;

        return to;
    } else {
        return NULL;
    }
}

The function is on lwan/src/lib/list.h. This function can return null to the caller.

static inline const void *list_top_(const struct list_head *h, size_t off)
{
    if (list_empty(h))
        return NULL;
    return (const char *)h->n.next - off;
}
lpereira commented 4 years ago

list_top() will only be called if the list isn't empty, so it's never going to return NULL there

On Thu, Sep 3, 2020, 01:35 Ryan notifications@github.com wrote:

The function is on lwan/src/lib/timeout.c.

struct timeout timeouts_get(struct timeouts T) { if (!list_empty(&T->expired)) { struct timeout *to = list_top(&T->expired, struct timeout, tqe); // the variable to can be null

    list_del_from(&T->expired, &to->tqe); //deference here
    to->pending = NULL;

    return to;
} else {
    return NULL;
}

}

The function is on lwan/src/lib/list.h. This function can return null to the caller.

static inline const void listtop(const struct list_head h, size_t off) { if (list_empty(h)) return NULL; return (const char *)h->n.next - off; }

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lpereira/lwan/issues/288, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADVGJ2TJWDLXN2YDCSQUDSD5IO3ANCNFSM4QUPXQWQ .

ycaibb commented 4 years ago

OK, thank you for your confirmation.