[RFC] gweb's statical analysis review

Fri, 11 May 2012 03:39:15 -0700 

Hi,

Just to pin-point what was the guilty line:
+++ b/gweb/gweb.c
@@ -611,8 +611,7 @@ static void start_request(struct web_session *session)
                        g_string_append_printf(buf, "%zx\r\n", length);
                        g_string_append_len(buf, (char *) body, length);
                        g_string_append(buf, "\r\n");
+               } else if (session->fd == -1)
+                       g_string_append_len(buf, (char *) body, length);
+               }
        }
 }
 

Let's consider do_request() and start_request() functions:

case line 1339:
do_request(type=NULL, input=NULL, fd=-1, length=0):
-> start_request(): session { content_type=NULL, input_func=NULL, fd=-1, 
length=0 }
        -> if (session->content_type != NULL && length > 0) FALSE. does nothing 
with fd/length, no issue here

case line 1364:
do_request(type=<val>, input=NULL, fd=<val>, length=<val>):
-> start_request(): session { content_type=<val>, input_func=NULL, fd=<val>, 
length=<val> }
        -> if (session->content_type != NULL) {
                if (session->input_func == NULL) {
                        session->more_data = FALSE;
                        length = session->length;
                }
        }

        if (session->content_type != NULL && length > 0) {
                fd is definitely not -1, so it will work. 
        }

case line 1346:
do_request(type=<val>, input=<val>, fd=-1, length=0):
-> start_request(): session { content_type=<val>, input_func=<val>, fd=-1, 
length=0 }
        -> if (session->content_type != NULL) {
                if (session->input_func == NULL) { ... }
                else
                        session->more_data = session->input_func(&body, &length,
                                                                
session->user_data); (==> body and length are set, or then length is 0)
        }

        if (session->content_type != NULL && length > 0) { (==> length was set 
before)
                if (session->more_data == TRUE) {
                        ... OK ...
                } else if (session->fd == -1)
                        g_string_append_len(buf, (char *) body, length); 
==> will work since body and length are valid.
        }

==> failing point here is not really g_string_append_len(buf, (char *) body, 
length);, it is session->input_func: if that one does not set
properly length and body... then we are screwed.
Is it needed to check body's validity against length then? 

Of course if dev introduce a buggy input_func or provide bogus fd/length for 
do_request... it's introducing a bug.

Imho, input_func has to fullfill properly body and length, so this is a false 
positive.

Tomasz
_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman

Reply via email to