Skip to content

Code Inconsistencies Detected by Static Analysis #2429

New issue
New issue
Open
Open
Code Inconsistencies Detected by Static Analysis#2429
@Anchels

Description

@Anchels
Anchels
opened on Jun 17, 2025

Return value of a function lua_touserdata is dereferenced without checking for NULL, but it is usually checked for this function:

lua-nginx-module/src/ngx_http_lua_socket_tcp.c

Lines 4662 to 4673 in 9688812

cp = lua_touserdata(L, lua_upvalueindex(3));
dd("checking existing state: %d", cp->state);
if (cp->state == -1) {
cp->state = 0;
lua_pushnil(L);
lua_pushnil(L);
lua_pushnil(L);
return 3;
}

Similar issue with fucntion ngx_http_lua_get_req:

lua-nginx-module/src/ngx_http_lua_socket_tcp.c

Lines 5112 to 5117 in 9688812

r = ngx_http_lua_get_req(L);
if (r != r->main) {
return luaL_error(L, "attempt to read the request body in a "
"subrequest");
}

After having been compared to a NULL value:

lua-nginx-module/src/ngx_http_lua_socket_tcp.c

Lines 1814 to 1816 in 9688812

if (server_name != NULL && server_name->data != NULL) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"lua ssl server name: \"%V\"", server_name);

pointer server_name->data is dereferenced without null check by calling function memcpy:

lua-nginx-module/src/ngx_http_lua_socket_tcp.c

Lines 1855 to 1857 in 9688812

ngx_memcpy(u->ssl_name.data, server_name->data,
server_name->len);
u->ssl_name.len = server_name->len;

Found by Linux Verification Center with SVACE

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions