nginx-http-auth-digest icon indicating copy to clipboard operation
nginx-http-auth-digest copied to clipboard
verified publisher icon samizdatco

Fix inconsistency found by static analyzers

Open Anchels opened this issue 11 months ago • 2 comments

Hello! I was analyzing Nginx modules with the Svace static analyzer. It has found an inconsistency code at the following sections of the code:

https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L1227-L1247

and

https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L1286-L1308

In both methods the result value dropnode of method invocation ngx_array_push is dereferenced without checking for NULL:

https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L1245

and

https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L1306

Here's the source code for function ngx_array_push:

https://github.com/nginx/nginx/blob/ecb809305e54ed15be9f620d56b19ff4e4be7db5/src/core/ngx_array.c#L47-L91

Note that this function can return NULL. Therefore, when using it, it is important to check the result for NULL in order to avoid possible errors. And as a rule, such check is performed in other modules that use this function.

What do you think about adding the NULL checks?

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Anchels avatar Feb 11 '25 08:02 Anchels

Similar issues, but with ngx_palloc function:

shm_name is dereferenced without checking for null: https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L75-L76

same for *d:

https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L499-L517

Anchels avatar Jun 17 '25 07:06 Anchels

Looks like it might be worth adding a Null check herу too: HA2.data is dereferenced without checking for NULL: https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L716

HA1.data here: https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L675

and

auth_fields here: https://github.com/samizdatco/nginx-http-auth-digest/blob/5a2cae4812d8a1ba5f83dfbcb8d043d05c8e6f97/ngx_http_auth_digest_module.c#L286

LM4O322 avatar Jul 08 '25 11:07 LM4O322