Bug 55738

Summary: PVS-Studio: few issues
Product: APR Reporter: Andrey Karpov <karpov>
Component: APRAssignee: Apache Portable Runtime bugs mailinglist <bugs>
Status: NEW ---    
Severity: normal CC: christophe.jaillet
Priority: P2    
Version: HEAD   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Andrey Karpov 2013-11-03 10:06:46 UTC 
Hello. I am recheck httpd-trunk 2.5.0 and find few issues.
I am use PVS-Studio Static Code Analyzer http://www.viva64.com/

Suspicious:

V528 It is odd that pointer to 'char' type is compared with the '\0' value. Probably meant: ** ctx->re_source == '\0'. libhttpd util_expr_eval.c 167

V528: http://www.viva64.com/en/d/0117/

typedef struct {
  ....
  const char **re_source;
  ....
} ap_expr_eval_ctx_t;

static const char *ap_expr_eval_re_backref(ap_expr_eval_ctx_t *ctx, unsigned int n)
{
  int len;
  if (!ctx->re_pmatch || !ctx->re_source ||
      *ctx->re_source == '\0' ||
      ctx->re_nmatch < n + 1)
    return "";
  ....
}
-------------------------------------------------------------------------------
V597 The compiler could delete the 'memset' function call, which is used to flush 'x' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. apr apr_md4.c 362

V597: http://www.viva64.com/en/d/0208/

static void MD4Transform(apr_uint32_t state[4], const unsigned char block[64])
{
  apr_uint32_t a = state[0], b = state[1],
               c = state[2], d = state[3],
               x[APR_MD4_DIGESTSIZE];  
  ....
  /* Zeroize sensitive information. */
  memset(x, 0, sizeof(x));
}

V597 The compiler could delete the 'memset' function call, which is used to flush 'tmpbuf' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. apr apr_md5.c 436
V597 The compiler could delete the 'memset' function call, which is used to flush 'final' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. apr apr_md5.c 662
V597 The compiler could delete the 'memset' function call, which is used to flush 'tmpbuf' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. aprutil apr_md5.c 436
V597 The compiler could delete the 'memset' function call, which is used to flush 'final' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. aprutil apr_md5.c 662
V597 The compiler could delete the 'memset' function call, which is used to flush 'x' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. aprutil apr_md4.c 362
V597 The compiler could delete the 'memset' function call, which is used to flush 'buf' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. htdbm passwd_common.c 165
-------------------------------------------------------------------------------
V614 Potentially uninitialized pointer 'wch' used. apr start.c 58

V614: http://www.viva64.com/en/d/0230/

static int warrsztoastr(const char * const * *retarr,
                        const wchar_t * arrsz, int args)
{
  const apr_wchar_t *wch;
  ....

  if (args < 0) {
    for (args = 1, wch = arrsz; wch[0] || wch[1]; ++wch)
      if (!*wch)
       ++args;
  }
  wsize = 1 + wch - arrsz;
  ....
}
-------------------------------------------------------------------------------
V654 The condition 'retry < 2' of loop is always true. mod_proxy_wstunnel mod_proxy_wstunnel.c 436

V654: http://www.viva64.com/en/d/0275/

static int proxy_wstunnel_handler(....)
{
  int retry;
  ....
  retry = 0;
  while (retry < 2) {
    char *locurl = url;
    ....
    // Variable 'retry' is not used
    ....
  }
  ....
}

----
Best regards,
Andrey Karpov
Ph.D. in Mathematics, CTO
OOO "Program Verification Systems" (Co Ltd)
URL: www.viva64.com
E-Mail: karpov@viva64.com
Comment 1 Christophe JAILLET 2018-05-28 19:59:01 UTC 
1) Fixed in r1812307

2) I've sent a patch for it. See r1832415, even if the patch is not a perfect solution. apr_crypto_memzero() should be available in all cases, IMHO.
I leave the other location as-is for now, waiting to see if it can be used more widely, without some #if

3) Fixed in r1832203

4) Fixed in r1729507


I change the product from apache to apr for the remaining memset vs apr_crypto_memzero issues of point 2)