Recently, I applied a static analysis tool
Canalyze to libosip2-4.0.0 (Archive version),
and it seems some null dereferences exist in the source code:
1. file: osip_authorization.c
function: osip_authorization_clone
description:
At line 556: i = osip_authorization_init (&au);
osip_authorization_init returns OSIP_NOMEM(-4) when the malloc function fails.
At line 557: if (i == -1) /* allocation failed */
It would be a mistake to compare i with -1 rather than OSIP_NOMEM.
2. file: osip.c
function: osip_start_200ok_retransmissions
At line 182: ixt_init(&ixt)
ixt may be NULL.
3. file: osip_accessor.c
function: sdp_message_k_key_set
At line 462: sdp_key_init(&key)
key may be NULL
4. file: osip_dialog.c
function: osip_dialog_match_as_uas
At line 239: osip_call_id_to_str (request->call_id, &tmp);
tmp may be NULL
function: osip_dialog_match_as_uac
At line 180: osip_call_id_to_str (answer->call_id, &tmp);
tmp may be NULL
Most of these bugs are caused by incomplete error handling of allocation failures.
Maybe we should improve it.
I also sent some memory leak reports to aymeric last year, which were confirmed and listed
here.
Hope for your replies!
Beset Regards,