[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [osip-dev] Some other potential bugs detected by canalyze

From: Aymeric Moizard
Subject: Re: [osip-dev] Some other potential bugs detected by canalyze
Date: Mon, 29 Apr 2013 13:20:36 +0200

2013/4/29 Zhenbo Xu <address@hidden>
A few days ago, I reported some potential null pointer dereferences.
Those are part of reports our tool produced.
After checking other reports manually, I also found some reprots that seem to be real bugs:
1. Bug D400-28
file: osip_message_to_str.c
function: strcat_simple_header
line 196: string = osip_realloc (string, *malloc_size);
When realloc returns null, the original "string" is not freed.
I have fixed this one (and other same occurence in same files) 

2. Bug D400-17
file: osip_uri.c
function: osip_uri_parse_params
line 449: osip_uri_uparam_add(url, pname, pvalue)
This function may just return i(i = osip_uri_param_init (&url_param); and i != 0) that leaves pvalue unchanged.
line 466: pvalue = (char *) osip_malloc (comma - equal);
override pvalue without any free.
fixed both occurence of osip_uri_uparam_add: release pvalue and pname

3. Bug D400-1
file: osip_from.c
function: __osip_generic_param_parseall
line 563: osip_generic_param_add (gen_params, pname, pvalue);
does not assure pname is added.

fixed both occurence of osip_generic_param_add: release pvalue and pname
4. Bug D400-18
file: osip_uri.c
The same explanation with 2, but with different allocation site. (pname)

fixed above
5. Bug D400-15
file: osip_uri.c
The same explanation with 2, but with different allocation site. (pname)

fixed: release hname and hvalue

6. Bug D400-26
file: osip.c
function: osip_start_200ok_retransmissions
line 187: osip_add_ixt (osip, ixt);
osip_list_add does not assure ixt is added to list.

too many osip_list_add to fix... skipping this one.
7. Bug D400-19
file: osip_uri.c
The same explanation with 2, but with different allocation site. 
8. Bug D400-20
file: osip_uri.c
The same explanation with 2, but with different allocation site. 
9. Bug D400-2
file: osip_from.c
function: __osip_generic_param_parseall
The same explanation with 2, but at different file.
Allocation site line 509: pname = (char *) osip_malloc (equal - params);
Overrided at line 556: pname = (char *) osip_malloc (equal - params);

same as 3
10. Bug D400-21
file: osip_uri.c
function: __osip_uri_escape_nonascii_and_nondef
line 879: ns = osip_realloc (ns, alloc);
Function realloc don't make sure ns is freed when returning null.

11. Bug D400-16
file: osip_uri.c
function: osip_uri_parse_headers
line 381: hvalue = (char *) osip_malloc (headers + strlen (headers) - equal + 1);
Function osip_uri_uheader_add does not assure hvalue is added to the list.

duplicate//fixed above

I have fixed other occurence of osip_realloc and__osip_uri_escape_xxx possible allocation failure in osip_uri
All of the use after free reports are caused by function __osip_sdp_append_string (string, size, tmp, "a=");
in which "string" may be freed (by calling realloc(string, size)).
Yes. Not easy to improve.
And the double locking report is sort of too complicated to confirm...It is ok if you ignore it.

The full list of reports are here. Or you can download them from here.

Hope for your replies.

BTW: If I have been boring you or you don't concern about the bugs I reported, please let me know :)

It's very good to send bug reports. It's improving the code against allocation failure.

I hope you can check my fix and may be run the canalyse again?

I have a bad internet connection today and it's not very easy to read your report, so I may have missed
some of them...


Best Regards

Zhenbo Xu

osip-dev mailing list

Antisip - http://www.antisip.com

reply via email to

[Prev in Thread] Current Thread [Next in Thread]