|
From: | Aymeric Moizard |
Subject: | Re: [osip-dev] Some other potential bugs detected by canalyze |
Date: | Mon, 29 Apr 2013 13:20:36 +0200 |
Hi,A few days ago, I reported some potential null pointer dereferences.Those are part of reports our tool produced.After checking other reports manually, I also found some reprots that seem to be real bugs:1. Bug D400-28file: osip_message_to_str.cfunction: strcat_simple_headerline 196: string = osip_realloc (string, *malloc_size);When realloc returns null, the original "string" is not freed.
2. Bug D400-17file: osip_uri.cfunction: osip_uri_parse_paramsline 449: osip_uri_uparam_add(url, pname, pvalue)This function may just return i(i = osip_uri_param_init (&url_param); and i != 0) that leaves pvalue unchanged.line 466: pvalue = (char *) osip_malloc (comma - equal);override pvalue without any free.
3. Bug D400-1file: osip_from.cfunction: __osip_generic_param_parseallline 563: osip_generic_param_add (gen_params, pname, pvalue);does not assure pname is added.
4. Bug D400-18file: osip_uri.cThe same explanation with 2, but with different allocation site. (pname)
5. Bug D400-15file: osip_uri.cThe same explanation with 2, but with different allocation site. (pname)
6. Bug D400-26file: osip.cfunction: osip_start_200ok_retransmissionsline 187: osip_add_ixt (osip, ixt);osip_list_add does not assure ixt is added to list.
7. Bug D400-19file: osip_uri.cThe same explanation with 2, but with different allocation site.
8. Bug D400-20file: osip_uri.cThe same explanation with 2, but with different allocation site.
9. Bug D400-2file: osip_from.cfunction: __osip_generic_param_parseallThe same explanation with 2, but at different file.Allocation site line 509: pname = (char *) osip_malloc (equal - params);Overrided at line 556: pname = (char *) osip_malloc (equal - params);
10. Bug D400-21file: osip_uri.cfunction: __osip_uri_escape_nonascii_and_nondefline 879: ns = osip_realloc (ns, alloc);Function realloc don't make sure ns is freed when returning null.
11. Bug D400-16file: osip_uri.cfunction: osip_uri_parse_headersline 381: hvalue = (char *) osip_malloc (headers + strlen (headers) - equal + 1);Function osip_uri_uheader_add does not assure hvalue is added to the list.
All of the use after free reports are caused by function __osip_sdp_append_string (string, size, tmp, "a=");in which "string" may be freed (by calling realloc(string, size)).
Best Regards
--
Zhenbo Xu
_______________________________________________
osip-dev mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/osip-dev
[Prev in Thread] | Current Thread | [Next in Thread] |