https://bz.apache.org/bugzilla/show_bug.cgi?id=64726
Bug ID: 64726
Summary: Three NULL Pointer Dereference Bugs with bug traces
Product: Apache httpd-2
Version: 2.4-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_dav
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi guys,
We have found three NULL Pointer Dereference Bugs as follows. The detail of
each bug is explained.
1. Bug description: `dav_buffer_append` dereferences `str` at line 155 in
`modules/dav/main/util.c`, while `str` is potentially empty string
Root cause: `*fname_p = NULL` in the function `dav_fs_dir_file_name` defined in
`modules/dav/fs/repos.c`
"report 1": {
"Bug Type": "NULL Pointer Dereference",
"CWE ID": "CWE-476",
"tips": [
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_dir_file_name",
"Line": 247
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_dir_file_name",
"Line": 292
},
{
"File": "modules/dav/fs/lock.c",
"Func": "dav_fs_add_locknull_state",
"Line": 936
},
{
"File": "modules/dav/fs/lock.c",
"Func": "dav_fs_add_locknull_state",
"Line": 943
},
{
"File": "modules/dav/main/util.c",
"Func": "dav_buffer_append",
"Line": 155
}
]
}
2. Bug description: `dav_fs_insert_prop` dereferences `info` at line 2000 and
line 2004 in the form `info->name`, while `*info` can be null.
Root cause: Although it is claimed that info is not equal to NULL in the
annotation, we check the feasibility of the control flow path and find that
`modules/dav/main/liveprop.c` can set `*info = NULL` at line 127 in
`dav_get_liveprop_info` defined in `modules/dav/main/liveprop.c`
"report 2": {
"Bug Type": "NULL Pointer Dereference",
"CWE ID": "CWE-476",
"tips": [
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 127
},
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 129
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 1990
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 2000
}
]
}
"report 3": {
"Bug Type": "NULL Pointer Dereference",
"CWE ID": "CWE-476",
"tips": [
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 127
},
{
"File": "modules/dav/main/liveprop.c",
"Func": "dav_get_liveprop_info",
"Line": 129
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 1990
},
{
"File": "modules/dav/fs/repos.c",
"Func": "dav_fs_insert_prop",
"Line": 2004
}
]
}
According to CWE 476, there are several problems with leaving the code with
null references. An attacker can take advantage of the opportunity to introduce
malicious code. In this case, we are not sure of the behavior of the compiler
when faced with a null reference.
Best regards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
