search

lpereira / lwan

Experimental, scalable, high performance HTTP server
https://lwan.ws
GNU General Public License v2.0
5.92k stars 549 forks source link

Null pointer deference on function hash_add #289

Closed ycaibb closed 4 years ago

ycaibb commented 4 years ago

Hi, developers, I found Null pointer deference on function hash_add.

The function is in lwan/src/lib/hash.c

int hash_add(struct hash *hash, const void *key, const void *value)
{
    struct hash_entry *entry = hash_add_entry(hash, key);

    if (!entry)
        return -errno;

    hash->free_value((void *)entry->value);  // hash is null, null pointer dererference happens here
    hash->free_key((void *)entry->key);

    return 0;
}

The function is in lwan/src/lib/lwan.c

static void parse_listener_prefix(struct config *c,
                                  const struct config_line *l,
                                  struct lwan *lwan,
                                  const struct lwan_module *module,
                                  void *handler)
{
    struct lwan_url_map url_map = {};
    struct hash *hash = hash_str_new(free, free);  //hash can be null 
    ...;
    while ((l = config_read_line(c))) {
        switch (l->type) {
        case CONFIG_LINE_TYPE_LINE:
            hash_add(hash, strdup(l->key), strdup(l->value));   // hash is null
            break;

           ....;
    }
}

The function is in lwan/src/lib/hash.c 

struct hash *hash_str_new(void (*free_key)(void *value),
                          void (*free_value)(void *value))
{
    return hash_internal_new(    
        hash_str, (int (*)(const void *, const void *))strcmp,
        free_key ? free_key : no_op, free_value ? free_value : no_op);   //return null to the caller
}

The function is in lwan/src/lib/hash.c.

static struct hash *
hash_internal_new(unsigned int (*hash_value)(const void *key),
                  int (*key_compare)(const void *k1, const void *k2),
                  void (*free_key)(void *value),
                  void (*free_value)(void *value))
{
    struct hash *hash = malloc(sizeof(*hash));

    if (hash == NULL)
        return NULL;  //return null to the caller

   ...;
}
lpereira commented 4 years ago

Would you mind sending a patch that calls the critical logging function when hash_str_new() fails in parse_listener_prefix()?

On Thu, Sep 3, 2020, 01:48 Ryan notifications@github.com wrote:

Hi, developers, I found Null pointer deference on function hash_add.

The function is in lwan/src/lib/hash.c

int hash_add(struct hash hash, const void key, const void value) { struct hash_entry entry = hash_add_entry(hash, key);

if (!entry)
    return -errno;

hash->free_value((void *)entry->value);  // hash is null, null pointer dererference happens here
hash->free_key((void *)entry->key);

return 0;

}

The function is in lwan/src/lib/lwan.c

static void parse_listener_prefix(struct config c, const struct config_line l, struct lwan lwan, const struct lwan_module module, void handler) { struct lwan_url_map url_map = {}; struct hash hash = hash_str_new(free, free); //hash can be null ...; while ((l = config_read_line(c))) { switch (l->type) { case CONFIG_LINE_TYPE_LINE: hash_add(hash, strdup(l->key), strdup(l->value)); // hash is null break;

       ....;
}

}

The function is in lwan/src/lib/hash.c

struct hash hash_str_new(void (free_key)(void value), void (free_value)(void value)) { return hash_internal_new( hash_str, (int ()(const void , const void ))strcmp, free_key ? free_key : no_op, free_value ? free_value : no_op); //return null to the caller }

The function is in lwan/src/lib/hash.c.

static struct hash hash_internal_new(unsigned int (hash_value)(const void key), int (key_compare)(const void k1, const void k2), void (free_key)(void value), void (free_value)(void value)) { struct hash hash = malloc(sizeof(hash));

if (hash == NULL)
    return NULL;  //return null to the caller

...; }

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lpereira/lwan/issues/289, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADVGLVNL76NZAQPXWGSF3SD5J7RANCNFSM4QUQDQIQ .

ycaibb commented 4 years ago

Hi, Leandro

Sorry, I don't have a patch. It is reported by my static analysis tool.

lpereira commented 4 years ago

I see. Which tool is it?

(Issue has been addressed, thanks for reporting.)

ycaibb commented 4 years ago

Thank you for your confirmation. I use Pinpoint, a static analysis tool. You can find the introduction here if you are interested in it.