Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

mod_cgid and accept

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


christophe.jaillet at wanadoo

Jul 15, 2012, 3:04 AM

Post #1 of 5 (242 views)
Permalink
mod_cgid and accept
Hi,

looking around for static analysis tools, I arrived on a commercial
software that states that is has already found some mistakes in httpd.

Reading it, I noticed one of their example found in libhttpd. This
example was against return value from 'accept'.

I looked in httpd for similar construction, and found one in
modules\generators\mod_cgid.c:
>>>>>>>>>>>>>>
sd2 = accept(sd, (struct sockaddr *)&unix_addr, &len);
if (sd2 < 0) {
>>>>>>>>>>>>>>


According to http://www.viva64.com/en/b/0105/ (search in the page for
libhttpd to see their explanation), return value of 'accept' should not
be tested for negative values, at least on windows.


I don't know if it is really an issue or not, I just wanted to point it
out in case of interest for a httpd/socket/windows guru.


Is there any chance for
(https://issues.apache.org/bugzilla/show_bug.cgi?id=52476) to be related
to it ?


Best regards,
Christophe Jaillet


tom.browder at gmail

Jul 15, 2012, 3:24 AM

Post #2 of 5 (235 views)
Permalink
Re: mod_cgid and accept [In reply to]
On Sun, Jul 15, 2012 at 5:04 AM, Christophe JAILLET
<christophe.jaillet [at] wanadoo> wrote:
> Hi,
>
> looking around for static analysis tools, I arrived on a commercial software
> that states that is has already found some mistakes in httpd.

Christophe brings up a good point. Has the httpd project ever had its
code analyzed by Coverity? If not, it should be eligible for a free
scan. See the bottom of this page for a free scan request:

http://www.coverity.com/products/static-analysis.html

Best regards,

-Tom


christophe.jaillet at wanadoo

Jul 15, 2012, 4:06 AM

Post #3 of 5 (237 views)
Permalink
Re: mod_cgid and accept [In reply to]
Le 15/07/2012 12:24, Tom Browder a écrit :
> On Sun, Jul 15, 2012 at 5:04 AM, Christophe JAILLET
> <christophe.jaillet [at] wanadoo> wrote:
>> Hi,
>>
>> looking around for static analysis tools, I arrived on a commercial software
>> that states that is has already found some mistakes in httpd.
> Christophe brings up a good point. Has the httpd project ever had its
> code analyzed by Coverity? If not, it should be eligible for a free
> scan. See the bottom of this page for a free scan request:
>
> http://www.coverity.com/products/static-analysis.html
>
> Best regards,
>
> -Tom
>
http://scan.coverity.com/rungAll.html, apache is there, in rung 1, but I
don't know who has access to the result of the scan.

Christophe Jaillet


trawick at gmail

Jul 15, 2012, 5:29 AM

Post #4 of 5 (236 views)
Permalink
Re: mod_cgid and accept [In reply to]
On Sun, Jul 15, 2012 at 4:04 AM, Christophe JAILLET
<christophe.jaillet [at] wanadoo> wrote:
> Hi,
>
> looking around for static analysis tools, I arrived on a commercial software
> that states that is has already found some mistakes in httpd.
>
> Reading it, I noticed one of their example found in libhttpd. This example
> was against return value from 'accept'.
>
> I looked in httpd for similar construction, and found one in
> modules\generators\mod_cgid.c:
>>>>>>>>>>>>>>>
> sd2 = accept(sd, (struct sockaddr *)&unix_addr, &len);
> if (sd2 < 0) {
>>>>>>>>>>>>>>>

mod_cgid isn't written for Windows. There are plenty of other
Unix-isms as well.

>
>
> According to http://www.viva64.com/en/b/0105/ (search in the page for
> libhttpd to see their explanation), return value of 'accept' should not be
> tested for negative values, at least on windows.
>
>
> I don't know if it is really an issue or not, I just wanted to point it out
> in case of interest for a httpd/socket/windows guru.
>
>
> Is there any chance for
> (https://issues.apache.org/bugzilla/show_bug.cgi?id=52476) to be related to
> it ?
>
>
> Best regards,
> Christophe Jaillet
>



--
Born in Roswell... married an alien...
http://emptyhammock.com/


wrowe at rowe-clan

Jul 31, 2012, 1:06 PM

Post #5 of 5 (188 views)
Permalink
Re: mod_cgid and accept [In reply to]
On 7/15/2012 3:24 AM, Tom Browder wrote:
> On Sun, Jul 15, 2012 at 5:04 AM, Christophe JAILLET
> <christophe.jaillet [at] wanadoo> wrote:
>> Hi,
>>
>> looking around for static analysis tools, I arrived on a commercial software
>> that states that is has already found some mistakes in httpd.
>
> Christophe brings up a good point. Has the httpd project ever had its
> code analyzed by Coverity? If not, it should be eligible for a free
> scan. See the bottom of this page for a free scan request:
>
> http://www.coverity.com/products/static-analysis.html

Often. Occasionally someone discovers an actually interesting bit of source
which has a potential security implication, and sends us a report on the
security [at] http list.

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.