[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [osip-dev] Some potential null pointer dereferences in libosip2-4.0.

From: Aymeric Moizard
Subject: Re: [osip-dev] Some potential null pointer dereferences in libosip2-4.0.0
Date: Mon, 22 Apr 2013 12:26:55 +0200


Tks a lot for the report. I have added the allocation checks for
the report you just made! It's commited in git.

I have checked quickly your old previous report: if I'm correct,
I did one fix last year when a pthread fails based on this report
and the other ones were false positive. (memory is kept inside
a fifo and released later!)


2013/4/22 Zhenbo Xu <address@hidden>
Hi, all,

Recently, I applied a static analysis tool Canalyze to libosip2-4.0.0 (Archive version), 
and it seems some null dereferences exist in the source code:

1. file: osip_authorization.c 
function: osip_authorization_clone
At line 556: i = osip_authorization_init (&au);
osip_authorization_init returns OSIP_NOMEM(-4) when the malloc function fails.

At line 557: if (i == -1)                  /* allocation failed */
It would be a mistake to compare i with -1 rather than OSIP_NOMEM.

2. file: osip.c
function: osip_start_200ok_retransmissions
At line 182: ixt_init(&ixt)
ixt may be NULL.

3. file: osip_accessor.c
function: sdp_message_k_key_set
At line 462: sdp_key_init(&key)
key may be NULL

4. file: osip_dialog.c
function: osip_dialog_match_as_uas
At line 239: osip_call_id_to_str (request->call_id, &tmp);
tmp may be NULL

function: osip_dialog_match_as_uac
At line 180: osip_call_id_to_str (answer->call_id, &tmp);
tmp may be NULL

Most of these bugs are caused by incomplete error handling of allocation failures.
Maybe we should improve it.

I also sent some memory leak reports to aymeric last year, which were confirmed and listed here.

Hope for your replies!

Beset Regards,

Zhenbo Xu

osip-dev mailing list

Antisip - http://www.antisip.com

reply via email to

[Prev in Thread] Current Thread [Next in Thread]