Code Inconsistencies Detected by Static Analysis

[Anchels]

Return value of a function lua_touserdata is dereferenced without checking for NULL, but it is usually checked for this function:

https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L4662-L4673

Similar issue with fucntion ngx_http_lua_get_req:

https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L5112-L5117

After having been compared to a NULL value:

https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L1814-L1816

pointer server_name->data is dereferenced without null check by calling function memcpy:

https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L1855-L1857

Found by Linux Verification Center with SVACE

[splitice]

I think 1 should be fixed I think 2 is fine due to r->main not being NULL. I'm not sure I see the issue with 3 (you see thats does not equal right?) It may be worth adding a check for 4 on https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L1846

[Anchels]

@splitice, thank you for the feedback!

I think 2 is fine due to r->main not being NULL.

Do you mean that in this case r will never be NULL?

https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L5112

I think it's worth adding a similar check:

https://github.com/openresty/lua-nginx-module/blob/9688812a4eba47c1f43892c998e50b988d740f5d/src/ngx_http_lua_socket_tcp.c#L440-L443

---

I'm not sure I see the issue with 3 (you see thats does not equal right?)

There's no actual issue with 3. It's just indicating that server_name->data may have a NULL value. To clarify 4 🙂

[splitice]

You are right re; 2.