Ricardo, Am 06.02.19 um 17:28 schrieb Ricardo Nabinger Sanchez: > Hello, > > scan-build found a 28-step path where an unitialized value could be used in > h2s_htx_bck_make_req_headers(). > > Here is a shortened version: > > 4378 idx = htx_get_head(htx); // returns the SL that we skip > 4379 while ((idx = htx_get_next(htx, idx)) != -1) { > 4380 blk = htx_get_blk(htx, idx); > 4381 type = htx_get_blk_type(blk); > 4382 > 4383 if (type == HTX_BLK_UNUSED) > 4384 continue; > 4385 > 4386 if (type != HTX_BLK_HDR) > // (here, assume condition is true, so control leaves the loop...) > 4387 break; > 4388 > 4389 if (unlikely(hdr >= sizeof(list)/sizeof(list[0]) - 1)) > 4390 goto fail; > 4391 > // (... and list will not be initialized.)
Yes, but hdr will not be incremented either. Thus `list` is an array without holes. > 4392 list[hdr].n = htx_get_blk_name(htx, blk); > 4393 list[hdr].v = htx_get_blk_value(htx, blk); > 4394 hdr++; > 4395 } Line 4398 is missing here, it appends a marker (empty string) to mark the end of the array. > ... > > 4450 /* look for the Host header and place it in :authority */ > 4451 auth = ist2(NULL, 0); > 4452 for (hdr = 0; hdr < sizeof(list)/sizeof(list[0]); hdr++) > { > 4453 if (isteq(list[hdr].n, ist(""))) > // (here, assume the condition is false, so control keeps in this block...) We established that `list` is an array without holes terminated by an empty string. Thus either: 1. The Condition is false, then the value must be initialized or 2. The Condition is true, then the loop is exited. Thus I believe this is a false-positive. Best regards Tim Düsterhus