[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [osip-dev] Some other potential bugs detected by canalyze

From: Zhenbo Xu
Subject: Re: [osip-dev] Some other potential bugs detected by canalyze
Date: Mon, 29 Apr 2013 20:11:40 +0800

I have just run canlayze in the latest git version.
It did not produce any new reports.
Your commit fixed most of the reports other than the memory leak related with osip_add_ixt and the use after free caused by __osip_sdp_append_string.

On Mon, Apr 29, 2013 at 7:20 PM, Aymeric Moizard <address@hidden> wrote:

2013/4/29 Zhenbo Xu <address@hidden>
A few days ago, I reported some potential null pointer dereferences.
Those are part of reports our tool produced.
After checking other reports manually, I also found some reprots that seem to be real bugs:
1. Bug D400-28
file: osip_message_to_str.c
function: strcat_simple_header
line 196: string = osip_realloc (string, *malloc_size);
When realloc returns null, the original "string" is not freed.
I have fixed this one (and other same occurence in same files) 

2. Bug D400-17
file: osip_uri.c
function: osip_uri_parse_params
line 449: osip_uri_uparam_add(url, pname, pvalue)
This function may just return i(i = osip_uri_param_init (&url_param); and i != 0) that leaves pvalue unchanged.
line 466: pvalue = (char *) osip_malloc (comma - equal);
override pvalue without any free.
fixed both occurence of osip_uri_uparam_add: release pvalue and pname

3. Bug D400-1
file: osip_from.c
function: __osip_generic_param_parseall
line 563: osip_generic_param_add (gen_params, pname, pvalue);
does not assure pname is added.

fixed both occurence of osip_generic_param_add: release pvalue and pname
4. Bug D400-18
file: osip_uri.c
The same explanation with 2, but with different allocation site. (pname)

fixed above
5. Bug D400-15
file: osip_uri.c
The same explanation with 2, but with different allocation site. (pname)

fixed: release hname and hvalue

6. Bug D400-26
file: osip.c
function: osip_start_200ok_retransmissions
line 187: osip_add_ixt (osip, ixt);
osip_list_add does not assure ixt is added to list.

too many osip_list_add to fix... skipping this one.
7. Bug D400-19
file: osip_uri.c
The same explanation with 2, but with different allocation site. 
8. Bug D400-20
file: osip_uri.c
The same explanation with 2, but with different allocation site. 
9. Bug D400-2
file: osip_from.c
function: __osip_generic_param_parseall
The same explanation with 2, but at different file.
Allocation site line 509: pname = (char *) osip_malloc (equal - params);
Overrided at line 556: pname = (char *) osip_malloc (equal - params);

same as 3
10. Bug D400-21
file: osip_uri.c
function: __osip_uri_escape_nonascii_and_nondef
line 879: ns = osip_realloc (ns, alloc);
Function realloc don't make sure ns is freed when returning null.

11. Bug D400-16
file: osip_uri.c
function: osip_uri_parse_headers
line 381: hvalue = (char *) osip_malloc (headers + strlen (headers) - equal + 1);
Function osip_uri_uheader_add does not assure hvalue is added to the list.

duplicate//fixed above

I have fixed other occurence of osip_realloc and__osip_uri_escape_xxx possible allocation failure in osip_uri
All of the use after free reports are caused by function __osip_sdp_append_string (string, size, tmp, "a=");
in which "string" may be freed (by calling realloc(string, size)).
Yes. Not easy to improve.
And the double locking report is sort of too complicated to confirm...It is ok if you ignore it.

The full list of reports are here. Or you can download them from here.

Hope for your replies.

BTW: If I have been boring you or you don't concern about the bugs I reported, please let me know :)

It's very good to send bug reports. It's improving the code against allocation failure.

I hope you can check my fix and may be run the canalyse again?

I have a bad internet connection today and it's not very easy to read your report, so I may have missed
some of them...


Best Regards

Zhenbo Xu

osip-dev mailing list

Antisip - http://www.antisip.com

Zhenbo Xu

reply via email to

[Prev in Thread] Current Thread [Next in Thread]