Codekhana

src/event/ngx_event_udp.c

2 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 256 Column: 22 CWE codes: 120 20

                          buf.pos = buffer;
            buf.last = buffer + n;

            rev = c->read;

            c->udp->buffer = &buf;

            rev->ready = 1;
            rev->active = 0;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 346 Column: 18 CWE codes: 120 20

              
        c->buffer->last = ngx_cpymem(c->buffer->last, buffer, n);

        rev = c->read;
        wev = c->write;

        rev->active = 1;
        wev->ready = 1;

Reported by FlawFinder.

src/mail/ngx_mail_pop3_module.c

2 issues

Array 'ngx_mail_pop3_auth_methods_names[6]' accessed at index 9998, which is out of bounds.

Error

Line: 188 CWE codes: 788

                       m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
         m <<= 1, i++)
    {
        if (ngx_mail_pop3_auth_methods_names[i].len == 0) {
            continue;
        }

        if (m & conf->auth_methods) {
            size += 1 + ngx_mail_pop3_auth_methods_names[i].len;

Reported by Cppcheck.

Array 'ngx_mail_pop3_auth_methods_names[6]' accessed at index 9998, which is out of bounds.

Error

Line: 259 CWE codes: 788

                       m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
         m <<= 1, i++)
    {
        if (ngx_mail_pop3_auth_methods_names[i].len == 0) {
            continue;
        }

        if (m & conf->auth_methods) {
            size += ngx_mail_pop3_auth_methods_names[i].len

Reported by Cppcheck.

src/os/unix/ngx_daemon.c

2 issues

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 39 Column: 10 CWE codes: 362

              
    umask(0);

    fd = open("/dev/null", O_RDWR);
    if (fd == -1) {
        ngx_log_error(NGX_LOG_EMERG, log, ngx_errno,
                      "open(\"/dev/null\") failed");
        return NGX_ERROR;
    }

Reported by FlawFinder.

umask - Ensure that umask is given most restrictive possible setting (e.g., 066 or 077)

Security

Line: 37 Column: 5 CWE codes: 732

                      return NGX_ERROR;
    }

    umask(0);

    fd = open("/dev/null", O_RDWR);
    if (fd == -1) {
        ngx_log_error(NGX_LOG_EMERG, log, ngx_errno,
                      "open(\"/dev/null\") failed");

Reported by FlawFinder.

src/os/unix/ngx_process_cycle.c

2 issues

srandom - This function is not sufficiently random for security-related functions such as key and nonce creation

Security

Line: 889 Column: 5 CWE codes: 327
Suggestion: Use a more secure technique for acquiring random values

                  }

    tp = ngx_timeofday();
    srandom(((unsigned) ngx_pid << 16) ^ tp->sec ^ tp->msec);

    /*
     * disable deleting previous events for the listening sockets because
     * in the worker processes there are no events at all at this point
     */

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 964 Column: 25 CWE codes: 120 20

                      c = cycle->connections;
        for (i = 0; i < cycle->connection_n; i++) {
            if (c[i].fd != -1
                && c[i].read
                && !c[i].read->accept
                && !c[i].read->channel
                && !c[i].read->resolver)
            {
                ngx_log_error(NGX_LOG_ALERT, cycle->log, 0,

Reported by FlawFinder.

src/os/unix/ngx_time.c

2 issues

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once

Security

Line: 29 Column: 9 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them

              {
#if (NGX_FREEBSD)

    if (getenv("TZ")) {
        return;
    }

    putenv("TZ=UTC");

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 44 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              #elif (NGX_LINUX)
    time_t      s;
    struct tm  *t;
    char        buf[4];

    s = time(0);

    t = localtime(&s);

Reported by FlawFinder.

src/os/unix/ngx_user.c

2 issues

crypt_r - The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment

Security

Line: 25 Column: 13 CWE codes: 327
Suggestion: Use a different algorithm, such as SHA-256, with a larger, non-repeating salt

              
    cd.initialized = 0;

    value = crypt_r((char *) key, (char *) salt, &cd);

    if (value) {
        len = ngx_strlen(value) + 1;

        *encrypted = ngx_pnalloc(pool, len);

Reported by FlawFinder.

crypt - The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment

Security

Line: 53 Column: 13 CWE codes: 327
Suggestion: Use a different algorithm, such as SHA-256, with a larger, non-repeating salt

                  size_t      len;
    ngx_err_t   err;

    value = crypt((char *) key, (char *) salt);

    if (value) {
        len = ngx_strlen(value) + 1;

        *encrypted = ngx_pnalloc(pool, len);

Reported by FlawFinder.

src/os/win32/ngx_udp_wsarecv.c

2 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 32 Column: 14 CWE codes: 120 20

                  ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
                   "WSARecv: fd:%d rc:%d %ul of %z", c->fd, rc, bytes, size);

    rev = c->read;

    if (rc == -1) {
        rev->ready = 0;
        err = ngx_socket_errno;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 64 Column: 14 CWE codes: 120 20

                  ngx_event_t      *rev;
    LPWSAOVERLAPPED   ovlp;

    rev = c->read;

    if (!rev->ready) {
        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "second wsa post");
        return NGX_AGAIN;
    }

Reported by FlawFinder.

src/os/win32/ngx_win32_init.c

2 issues

srand - This function is not sufficiently random for security-related functions such as key and nonce creation

Security

Line: 276 Column: 5 CWE codes: 327
Suggestion: Use a more secure technique for acquiring random values

                  }

    tp = ngx_timeofday();
    srand((ngx_pid << 16) ^ (unsigned) tp->sec ^ tp->msec);

    return NGX_OK;
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 20 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              ngx_uint_t  ngx_inherited_nonblocking = 1;
ngx_uint_t  ngx_tcp_nodelay_and_tcp_nopush;

char        ngx_unique[NGX_INT32_LEN + 1];


ngx_os_io_t ngx_os_io = {
    ngx_wsarecv,
    ngx_wsarecv_chain,

Reported by FlawFinder.

src/os/win32/ngx_wsarecv.c

2 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 33 Column: 14 CWE codes: 120 20

                  ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
                   "WSARecv: fd:%d rc:%d %ul of %z", c->fd, rc, bytes, size);

    rev = c->read;

    if (rc == -1) {
        rev->ready = 0;
        err = ngx_socket_errno;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 116 Column: 14 CWE codes: 120 20

                  ngx_event_t      *rev;
    LPWSAOVERLAPPED   ovlp;

    rev = c->read;

    if (!rev->ready) {
        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "second wsa post");
        return NGX_AGAIN;
    }

Reported by FlawFinder.

src/http/modules/ngx_http_geo_module.c

1 issues

Dangerous assignment - the function parameter is assigned the address of a local auto-variable. Local auto-variables are reserved from the stack which is freed when the function ends. So the pointer to a local variable is invalid after the function ends.

Error

Line: 469 CWE codes: 562

              
    save = *cf;
    cf->pool = pool;
    cf->ctx = &ctx;
    cf->handler = ngx_http_geo;
    cf->handler_conf = conf;

    rv = ngx_conf_parse(cf, NULL);

Reported by Cppcheck.

Modal title

The following issues were found

src/event/ngx_event_udp.c

2 issues

src/mail/ngx_mail_pop3_module.c

2 issues

src/os/unix/ngx_daemon.c

2 issues

src/os/unix/ngx_process_cycle.c

2 issues

src/os/unix/ngx_time.c

2 issues

src/os/unix/ngx_user.c

2 issues

src/os/win32/ngx_udp_wsarecv.c

2 issues

src/os/win32/ngx_win32_init.c

2 issues

src/os/win32/ngx_wsarecv.c

2 issues

src/http/modules/ngx_http_geo_module.c

1 issues