Ricardo,
Am 06.02.19 um 17:28 schrieb Ricardo Nabinger Sanchez:
> Hello,
>
> scan-build found a 28-step path where an unitialized value could be used in
> h2s_htx_bck_make_req_headers().
>
> Here is a shortened version:
>
> 4378 idx = htx_get_head(htx); // returns the SL that we skip
> 4379 while ((idx = htx_get_next(htx, idx)) != -1) {
> 4380 blk = htx_get_blk(htx, idx);
> 4381 type = htx_get_blk_type(blk);
> 4382
> 4383 if (type == HTX_BLK_UNUSED)
> 4384 continue;
> 4385
> 4386 if (type != HTX_BLK_HDR)
> // (here, assume condition is true, so control leaves the loop...)
> 4387 break;
> 4388
> 4389 if (unlikely(hdr >= sizeof(list)/sizeof(list[0]) - 1))
> 4390 goto fail;
> 4391
> // (... and list will not be initialized.)
Yes, but hdr will not be incremented either. Thus `list` is an array
without holes.
> 4392 list[hdr].n = htx_get_blk_name(htx, blk);
> 4393 list[hdr].v = htx_get_blk_value(htx, blk);
> 4394 hdr++;
> 4395 }
Line 4398 is missing here, it appends a marker (empty string) to mark
the end of the array.
> ...
>
> 4450 /* look for the Host header and place it in :authority */
> 4451 auth = ist2(NULL, 0);
> 4452 for (hdr = 0; hdr < sizeof(list)/sizeof(list[0]); hdr++)
> {
> 4453 if (isteq(list[hdr].n, ist("")))
> // (here, assume the condition is false, so control keeps in this block...)
We established that `list` is an array without holes terminated by an
empty string.
Thus either:
1. The Condition is false, then the value must be initialized
or
2. The Condition is true, then the loop is exited.
Thus I believe this is a false-positive.
Best regards
Tim Düsterhus
