lua-nginx-module icon indicating copy to clipboard operation
lua-nginx-module copied to clipboard
verified publisher icon openresty

Uncheked result of method SSL_set_tlsext_status_type()

Open Anchels opened this issue 11 months ago • 0 comments

Greetings! I've been investigating lua-nginx-module with Svace static analyzer and it found a curious method to look at.

https://github.com/openresty/lua-nginx-module/blob/004922e1cf95eabde001203e2010365ff5d3e70d/src/ngx_http_lua_socket_tcp.c#L1629-L1881

Here the return value of method incovation SSL_set_tlsext_status_type() (which calls SSL_ctrl() under the hood) is not checked at the following cases:

https://github.com/openresty/lua-nginx-module/blob/004922e1cf95eabde001203e2010365ff5d3e70d/src/ngx_http_lua_socket_tcp.c#L1791-L1792

and

https://github.com/openresty/lua-nginx-module/blob/004922e1cf95eabde001203e2010365ff5d3e70d/src/ngx_http_lua_socket_tcp.c#L1838

but usually it is checked for the function SSL_ctrl()

The Question:

After a long research and official OpenSSL docs read I'm still not sure if it's correct not to check the returning value in the cases above.

What do you think about this?

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Anchels avatar Feb 13 '25 13:02 Anchels