Hello! I analyzed Nginx modules with Svace static analyzer. It found a potential problem in the code in /stream-lua-nginx-module/src/ngx_stream_lua_output.c
Brief Description
There is a potential NULL dereference issue in the function ngx_stream_lua_ngx_flush. Specifically, the return value of the function ngx_stream_lua_get_req(L) is used without checking for NULL. If ngx_stream_lua_get_req(L) returns NULL, subsequent operations on the pointer r will result in undefined behavior, likely causing a segmentation fault or crash.
The problematic code snippet is as follows:
r = ngx_stream_lua_get_req(L);
ctx = ngx_stream_lua_get_module_ctx(r, ngx_stream_lua_module);
Here, r is dereferenced without verifying that it is not NULL.
Solution
To address this issue, we need to add a check for NULL after calling ngx_stream_lua_get_req(L). If r is NULL, the function should return an appropriate error message using luaL_error.
Patch
Below is the patch to fix the issue:
diff --git a/src/ngx_stream_lua_ngx_flush.c b/src/ngx_stream_lua_ngx_flush.c
--- a/src/ngx_stream_lua_ngx_flush.c
+++ b/src/ngx_stream_lua_ngx_flush.c
@@ -16,6 +16,9 @@ ngx_stream_lua_ngx_flush(lua_State *L)
r = ngx_stream_lua_get_req(L);
+ if (r == NULL) {
+ return luaL_error(L, "no request found");
+ }
ctx = ngx_stream_lua_get_module_ctx(r, ngx_stream_lua_module);
if (ctx == NULL) {
return luaL_error(L, "no request ctx found");
Explanation of the Patch
- Check for
NULL: After calling ngx_stream_lua_get_req(L), the patch adds a check to ensure that r is not NULL.
if (r == NULL) {
return luaL_error(L, "no request found");
}
- Error Handling: If
r is NULL, the function immediately returns an error message ("no request found") using luaL_error. This prevents further execution and avoids dereferencing a NULL pointer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Hello! I analyzed Nginx modules with Svace static analyzer. It found a potential problem in the code in /stream-lua-nginx-module/src/ngx_stream_lua_output.c
Brief Description
There is a potential
NULLdereference issue in the functionngx_stream_lua_ngx_flush. Specifically, the return value of the functionngx_stream_lua_get_req(L)is used without checking forNULL. Ifngx_stream_lua_get_req(L)returnsNULL, subsequent operations on the pointerrwill result in undefined behavior, likely causing a segmentation fault or crash.The problematic code snippet is as follows:
Here,
ris dereferenced without verifying that it is notNULL.Solution
To address this issue, we need to add a check for
NULLafter callingngx_stream_lua_get_req(L). IfrisNULL, the function should return an appropriate error message usingluaL_error.Patch
Below is the patch to fix the issue:
Explanation of the Patch
NULL: After callingngx_stream_lua_get_req(L), the patch adds a check to ensure thatris notNULL.risNULL, the function immediately returns an error message ("no request found") usingluaL_error. This prevents further execution and avoids dereferencing aNULLpointer.Found by Linux Verification Center (linuxtesting.org) with SVACE.