[asterisk-bugs] [JIRA] (ASTERISK-24566) Uninit buf in WS close()

Matt Jordan (JIRA) noreply at issues.asterisk.org
Mon Dec 8 10:22:29 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223928#comment-223928 ] 

Matt Jordan commented on ASTERISK-24566:
----------------------------------------

I don't really understand why your patch would make a difference here, or how the uninitialized buffer trip is occurring.

The initialization of {{frame}} occurring in the existing code _must_ be initialized to 0 per the C99 standard:

{quote}
C99 Standard 6.7.8.21

    If there are fewer initializers in a brace-enclosed list than there are elements or members of an aggregate, or fewer characters in a string literal used to initialize an array of known size than there are elements in the array, the remainder of the aggregate shall be initialized implicitly the same as objects that have static storage duration.
{quote}

Thus, there's no reason to change the declaration of frame from {{char frame[4]}} to a {{char *}}. I don't think you've gotten to the root of what was causing the valgrind issue.

> Uninit buf in WS close()
> ------------------------
>
>                 Key: ASTERISK-24566
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24566
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_http_websocket
>    Affects Versions: 11.14.1
>            Reporter: Badalian Vyacheslav
>            Assignee: Badalian Vyacheslav
>            Severity: Critical
>         Attachments: un.diff
>
>
> {code}
> ==50066== Thread 35:
> ==50066== Conditional jump or move depends on uninitialised value(s)
> ==50066==    at 0x37C9E722CB: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:872)
> ==50066==    by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==50066==    by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==50066==    by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==50066==    by 0x59A62E: ast_careful_fwrite (utils.c:1403)
> ==50066==    by 0x9F86F96: ast_websocket_close (res_http_websocket.c:211)
> ==50066==    by 0x9F86B3B: session_destroy_fn (res_http_websocket.c:125)
> ==50066==    by 0x44D123: internal_ao2_ref (astobj2.c:466)
> ==50066==    by 0x44D444: __ao2_ref (astobj2.c:548)
> ==50066==    by 0x9F872D9: ast_websocket_unref (res_http_websocket.c:288)
> ==50066==    by 0x11245ACD: __sip_destroy (chan_sip.c:6487)
> ==50066==    by 0x11246A92: sip_destroy (chan_sip.c:6688)
> ==50066==  Uninitialised value was created by a stack allocation
> ==50066==    at 0x9F86EA9: ast_websocket_close (res_http_websocket.c:193)
> ==50066==
> ==50066== Syscall param write(buf) points to uninitialised byte(s)
> ==50066==    at 0x37C9EDB61D: ??? (syscall-template.S:82)
> ==50066==    by 0x5891EC: tcptls_stream_write (tcptls.c:335)
> ==50066==    by 0x37C9E66FD8: _IO_cookie_write (iofopncook.c:72)
> ==50066==    by 0x37C9E73084: _IO_do_write@@GLIBC_2.2.5 (fileops.c:522)
> ==50066==    by 0x37C9E723DE: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:881)
> ==50066==    by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==50066==    by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==50066==    by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==50066==    by 0x59A62E: ast_careful_fwrite (utils.c:1403)
> ==50066==    by 0x9F86F96: ast_websocket_close (res_http_websocket.c:211)
> ==50066==    by 0x9F86B3B: session_destroy_fn (res_http_websocket.c:125)
> ==50066==    by 0x44D123: internal_ao2_ref (astobj2.c:466)
> ==50066==  Address 0x6eb0e73 is 131 bytes inside a block of size 280 alloc'd
> ==50066==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
> ==50066==    by 0x37C9E6718D: fopencookie@@GLIBC_2.2.5 (iofopncook.c:200)
> ==50066==    by 0x5895DB: tcptls_stream_fopen (tcptls.c:506)
> ==50066==    by 0x589895: handle_tcptls_connection (tcptls.c:592)
> ==50066==    by 0x599DDB: dummy_start (utils.c:1192)
> ==50066==    by 0x37CA2079D0: start_thread (pthread_create.c:301)
> ==50066==    by 0x37C9EE89DC: clone (clone.S:115)
> ==50066==  Uninitialised value was created by a stack allocation
> ==50066==    at 0x9F86EA9: ast_websocket_close (res_http_websocket.c:193)
> ==50066==
> {code}
> Patch attached bellow



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list