Uninitialized memory leading to crash

[marcstern]

In apache2/persist_dbm.c, in collection_store(), we have the following declaration: char *username;

The variable is supposed to be initialized on line 392: apr_uid_name_get(&username, uid, msr->mp);

In case there's a problem in apr_uid_name_get(), the variable is not initialized. This leads to a crash on line 412: dbm_filename = apr_pstrcat(msr->, "/", username, ...

If username is initialized to a static empty string, no more crash. char *username = ""; We could also check apr_uid_name_get() return code and initialize username only in case of error but this would be less efficient and add useless code.

No idea why the function apr_uid_name_get() fails in my environment, but this can be reproduced easily in a debugger.

The fix is anyway safe and aligned with good practices.

[marcstern]

Here is the a centralized function we're using for years:

char* get_username(apr_pool_t* mp) {
 char* username;
 apr_uid_t uid;
 apr_gid_t gid;
 int rc = apr_uid_current(&uid, &gid, mp);
 if (rc != APR_SUCCESS) return "apache";
 rc = apr_uid_name_get(&username, uid, mp);
 if (rc != APR_SUCCESS) return "apache";
 return username;
}

[marcstern]

This is a duplicate of https://github.com/SpiderLabs/ModSecurity/pull/2046

[martinhsv]

Right. This was a duplicate.