|
From: | Zhenbo Xu |
Subject: | Re: [osip-dev] Some other potential bugs detected by canalyze |
Date: | Mon, 29 Apr 2013 20:11:40 +0800 |
2013/4/29 Zhenbo Xu <address@hidden>Hi,A few days ago, I reported some potential null pointer dereferences.Those are part of reports our tool produced.After checking other reports manually, I also found some reprots that seem to be real bugs:1. Bug D400-28file: osip_message_to_str.cfunction: strcat_simple_headerline 196: string = osip_realloc (string, *malloc_size);When realloc returns null, the original "string" is not freed.I have fixed this one (and other same occurence in same files)2. Bug D400-17file: osip_uri.cfunction: osip_uri_parse_paramsline 449: osip_uri_uparam_add(url, pname, pvalue)This function may just return i(i = osip_uri_param_init (&url_param); and i != 0) that leaves pvalue unchanged.line 466: pvalue = (char *) osip_malloc (comma - equal);override pvalue without any free.fixed both occurence of osip_uri_uparam_add: release pvalue and pname3. Bug D400-1file: osip_from.cfunction: __osip_generic_param_parseallline 563: osip_generic_param_add (gen_params, pname, pvalue);does not assure pname is added.fixed both occurence of osip_generic_param_add: release pvalue and pname4. Bug D400-18file: osip_uri.cThe same explanation with 2, but with different allocation site. (pname)fixed above5. Bug D400-15file: osip_uri.cThe same explanation with 2, but with different allocation site. (pname)fixed: release hname and hvalue6. Bug D400-26file: osip.cfunction: osip_start_200ok_retransmissionsline 187: osip_add_ixt (osip, ixt);osip_list_add does not assure ixt is added to list.too many osip_list_add to fix... skipping this one.7. Bug D400-19file: osip_uri.cThe same explanation with 2, but with different allocation site.Duplicate?8. Bug D400-20file: osip_uri.cThe same explanation with 2, but with different allocation site.Duplicate?9. Bug D400-2file: osip_from.cfunction: __osip_generic_param_parseallThe same explanation with 2, but at different file.Allocation site line 509: pname = (char *) osip_malloc (equal - params);Overrided at line 556: pname = (char *) osip_malloc (equal - params);same as 310. Bug D400-21file: osip_uri.cfunction: __osip_uri_escape_nonascii_and_nondefline 879: ns = osip_realloc (ns, alloc);Function realloc don't make sure ns is freed when returning null.fixed.11. Bug D400-16file: osip_uri.cfunction: osip_uri_parse_headersline 381: hvalue = (char *) osip_malloc (headers + strlen (headers) - equal + 1);Function osip_uri_uheader_add does not assure hvalue is added to the list.duplicate//fixed aboveI have fixed other occurence of osip_realloc and__osip_uri_escape_xxx possible allocation failure in osip_uriAll of the use after free reports are caused by function __osip_sdp_append_string (string, size, tmp, "a=");in which "string" may be freed (by calling realloc(string, size)).Yes. Not easy to improve.
It's very good to send bug reports. It's improving the code against allocation failure.I hope you can check my fix and may be run the canalyse again?I have a bad internet connection today and it's not very easy to read your report, so I may have missedsome of them...Aymeric_______________________________________________Best Regards
--
Zhenbo Xu
osip-dev mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/osip-dev
--
Antisip - http://www.antisip.com
[Prev in Thread] | Current Thread | [Next in Thread] |