[osip-dev] Some other potential bugs detected by canalyze

[Zhenbo Xu]

Hi, 

A few days ago, I reported some potential null pointer dereferences.

Those are part of reports our tool produced.

After checking other reports manually, I also found some reprots that seem to be real bugs:

1. Bug D400-28

file: osip_message_to_str.c

function: strcat_simple_header

line 196: string = osip_realloc (string, *malloc_size);

When realloc returns null, the original "string" is not freed.

2. Bug D400-17

file: osip_uri.c

function: osip_uri_parse_params

line 449: osip_uri_uparam_add(url, pname, pvalue)

This function may just return i(i = osip_uri_param_init (&url_param); and i != 0) that leaves pvalue unchanged.

line 466: pvalue = (char *) osip_malloc (comma - equal);

override pvalue without any free.

3. Bug D400-1

file: osip_from.c

function: __osip_generic_param_parseall

line 563: osip_generic_param_add (gen_params, pname, pvalue);

does not assure pname is added.

4. Bug D400-18

file: osip_uri.c

The same explanation with 2, but with different allocation site. (pname)

5. Bug D400-15

file: osip_uri.c

The same explanation with 2, but with different allocation site. (pname)

6. Bug D400-26

file: osip.c

function: osip_start_200ok_retransmissions

line 187: osip_add_ixt (osip, ixt);

osip_list_add does not assure ixt is added to list.

7. Bug D400-19

file: osip_uri.c

The same explanation with 2, but with different allocation site. 

8. Bug D400-20

file: osip_uri.c

The same explanation with 2, but with different allocation site. 

9. Bug D400-2

file: osip_from.c

function: __osip_generic_param_parseall

The same explanation with 2, but at different file.

Allocation site line 509: pname = (char *) osip_malloc (equal - params);

Overrided at line 556: pname = (char *) osip_malloc (equal - params);

10. Bug D400-21

file: osip_uri.c

function: __osip_uri_escape_nonascii_and_nondef

line 879: ns = osip_realloc (ns, alloc);

Function realloc don't make sure ns is freed when returning null.

11. Bug D400-16

file: osip_uri.c

function: osip_uri_parse_headers

line 381: hvalue = (char *) osip_malloc (headers + strlen (headers) - equal + 1);

Function osip_uri_uheader_add does not assure hvalue is added to the list.

All of the use after free reports are caused by function __osip_sdp_append_string (string, size, tmp, "a=");

in which "string" may be freed (by calling realloc(string, size)).

And the double locking report is sort of too complicated to confirm...It is ok if you ignore it.

The full list of reports are here. Or you can download them from here.

Hope for your replies.

BTW: If I have been boring you or you don't concern about the bugs I reported, please let me know :)

Best Regards

--
Zhenbo Xu