Fix inconsistency found by static analyzers

[Anchels]

Hello! I was analyzing Nginx modules with the Svace static analyzer. It has found an inconsistency code at the following sections of the code:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Lines 1227 to 1247 in 5a2cae4

	static void ngx_http_auth_digest_rbtree_prune_walk(ngx_rbtree_node_t *node,
	ngx_rbtree_node_t *sentinel,
	time_t now, ngx_log_t *log) {
	if (node == sentinel)
	return;
	if (node->left != sentinel) {
	ngx_http_auth_digest_rbtree_prune_walk(node->left, sentinel, now, log);
	}
	if (node->right != sentinel) {
	ngx_http_auth_digest_rbtree_prune_walk(node->right, sentinel, now, log);
	}
	ngx_http_auth_digest_node_t *dnode = (ngx_http_auth_digest_node_t *)node;
	if (dnode->drop_time <= ngx_time()) {
	ngx_rbtree_node_t **dropnode =
	ngx_array_push(ngx_http_auth_digest_cleanup_list);
	dropnode[0] = node;
	}
	}

and

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Lines 1286 to 1308 in 5a2cae4

	static void
	ngx_http_auth_digest_ev_rbtree_prune_walk(ngx_rbtree_node_t *node,
	ngx_rbtree_node_t *sentinel,
	time_t now, ngx_log_t *log) {
	if (node == sentinel)
	return;
	if (node->left != sentinel) {
	ngx_http_auth_digest_ev_rbtree_prune_walk(node->left, sentinel, now, log);
	}
	if (node->right != sentinel) {
	ngx_http_auth_digest_ev_rbtree_prune_walk(node->right, sentinel, now, log);
	}
	ngx_http_auth_digest_ev_node_t *dnode =
	(ngx_http_auth_digest_ev_node_t *)node;
	if (dnode->drop_time <= ngx_time()) {
	ngx_rbtree_node_t **dropnode =
	ngx_array_push(ngx_http_auth_digest_cleanup_list);
	dropnode[0] = node;
	}
	}

---

In both methods the result value dropnode of method invocation ngx_array_push is dereferenced without checking for NULL:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Line 1245 in 5a2cae4

dropnode[0] = node;

and

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Line 1306 in 5a2cae4

dropnode[0] = node;

---

Here's the source code for function ngx_array_push:

https://github.com/nginx/nginx/blob/ecb809305e54ed15be9f620d56b19ff4e4be7db5/src/core/ngx_array.c#L47-L91

Note that this function can return NULL. Therefore, when using it, it is important to check the result for NULL in order to avoid possible errors. And as a rule, such check is performed in other modules that use this function.

What do you think about adding the NULL checks?

---

Found by Linux Verification Center (linuxtesting.org) with SVACE.

[Anchels]

Similar issues, but with ngx_palloc function:

shm_name is dereferenced without checking for null:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Lines 75 to 76 in 5a2cae4

	shm_name = ngx_palloc(cf->pool, sizeof *shm_name);
	shm_name->len = sizeof("auth_digest");

same for *d:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Lines 499 to 517 in 5a2cae4

	if (quoted_pair_count > 0) {
	value.data = ngx_palloc(r->pool, value.len);
	u_char *d = value.data;
	u_char *s = start;
	for (; s < end; s++) {
	ch = *s;
	if (ch == '\\') {
	/* Make sure to add the next character
	* even if it's a \
	*/
	s++;
	if (s < end) {
	*d++ = ch;
	}
	continue;
	}
	*d++ = ch;
	}
	}

[LM4O322]

Looks like it might be worth adding a Null check herу too:
HA2.data is dereferenced without checking for NULL:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Line 716 in 5a2cae4

p = ngx_cpymem(p, HA2.data, HA2.len - 1);

HA1.data here:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Line 675 in 5a2cae4

p = ngx_cpymem(HA1.data, hashed_pw, 32);

and

auth_fields here:

nginx-http-auth-digest/ngx_http_auth_digest_module.c

Line 286 in 5a2cae4

int nc = ngx_hextoi(auth_fields->nc.data, auth_fields->nc.len);