[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[osip-dev] Some potential null pointer dereferences in libosip2-4.0.0

From: Zhenbo Xu
Subject: [osip-dev] Some potential null pointer dereferences in libosip2-4.0.0
Date: Mon, 22 Apr 2013 15:50:02 +0800

Hi, all,

Recently, I applied a static analysis tool Canalyze to libosip2-4.0.0 (Archive version), 
and it seems some null dereferences exist in the source code:

1. file: osip_authorization.c 
function: osip_authorization_clone
At line 556: i = osip_authorization_init (&au);
osip_authorization_init returns OSIP_NOMEM(-4) when the malloc function fails.

At line 557: if (i == -1)                  /* allocation failed */
It would be a mistake to compare i with -1 rather than OSIP_NOMEM.

2. file: osip.c
function: osip_start_200ok_retransmissions
At line 182: ixt_init(&ixt)
ixt may be NULL.

3. file: osip_accessor.c
function: sdp_message_k_key_set
At line 462: sdp_key_init(&key)
key may be NULL

4. file: osip_dialog.c
function: osip_dialog_match_as_uas
At line 239: osip_call_id_to_str (request->call_id, &tmp);
tmp may be NULL

function: osip_dialog_match_as_uac
At line 180: osip_call_id_to_str (answer->call_id, &tmp);
tmp may be NULL

Most of these bugs are caused by incomplete error handling of allocation failures.
Maybe we should improve it.

I also sent some memory leak reports to aymeric last year, which were confirmed and listed here.

Hope for your replies!

Beset Regards,

Zhenbo Xu

reply via email to

[Prev in Thread] Current Thread [Next in Thread]