[asterisk-bugs] [JIRA] (ASTERISK-24566) Uninit buf in WS close()

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Fri Nov 28 18:35:28 CST 2014


    [ https://issues.asterisk.org/jira/browse/ASTERISK-24566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223748#comment-223748 ] 

Badalian Vyacheslav edited comment on ASTERISK-24566 at 11/28/14 6:33 PM:
--------------------------------------------------------------------------

Its becouse you use {{ast_websocket_close(session, 0)}} in {{session_destroy_fn}} and reason 0 is have 1 byte in reason header.



was (Author: slavon):
Its becouse you use {{ast_websocket_close(session, 0)}} in {{session_destroy_fn}} and reason 0 is have 1 byte in reason header.

1. I rewrite close() some as write() (code must be use some code style on different part).
2. Also you never free allocated bytes in {{ast_websocket_write - char *frame}} before return. It is memory leak.

> Uninit buf in WS close()
> ------------------------
>
>                 Key: ASTERISK-24566
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24566
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_http_websocket
>    Affects Versions: 11.14.1
>            Reporter: Badalian Vyacheslav
>            Severity: Critical
>
> {code}
> ==50066== Thread 35:
> ==50066== Conditional jump or move depends on uninitialised value(s)
> ==50066==    at 0x37C9E722CB: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:872)
> ==50066==    by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==50066==    by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==50066==    by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==50066==    by 0x59A62E: ast_careful_fwrite (utils.c:1403)
> ==50066==    by 0x9F86F96: ast_websocket_close (res_http_websocket.c:211)
> ==50066==    by 0x9F86B3B: session_destroy_fn (res_http_websocket.c:125)
> ==50066==    by 0x44D123: internal_ao2_ref (astobj2.c:466)
> ==50066==    by 0x44D444: __ao2_ref (astobj2.c:548)
> ==50066==    by 0x9F872D9: ast_websocket_unref (res_http_websocket.c:288)
> ==50066==    by 0x11245ACD: __sip_destroy (chan_sip.c:6487)
> ==50066==    by 0x11246A92: sip_destroy (chan_sip.c:6688)
> ==50066==  Uninitialised value was created by a stack allocation
> ==50066==    at 0x9F86EA9: ast_websocket_close (res_http_websocket.c:193)
> ==50066==
> ==50066== Syscall param write(buf) points to uninitialised byte(s)
> ==50066==    at 0x37C9EDB61D: ??? (syscall-template.S:82)
> ==50066==    by 0x5891EC: tcptls_stream_write (tcptls.c:335)
> ==50066==    by 0x37C9E66FD8: _IO_cookie_write (iofopncook.c:72)
> ==50066==    by 0x37C9E73084: _IO_do_write@@GLIBC_2.2.5 (fileops.c:522)
> ==50066==    by 0x37C9E723DE: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:881)
> ==50066==    by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==50066==    by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==50066==    by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==50066==    by 0x59A62E: ast_careful_fwrite (utils.c:1403)
> ==50066==    by 0x9F86F96: ast_websocket_close (res_http_websocket.c:211)
> ==50066==    by 0x9F86B3B: session_destroy_fn (res_http_websocket.c:125)
> ==50066==    by 0x44D123: internal_ao2_ref (astobj2.c:466)
> ==50066==  Address 0x6eb0e73 is 131 bytes inside a block of size 280 alloc'd
> ==50066==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
> ==50066==    by 0x37C9E6718D: fopencookie@@GLIBC_2.2.5 (iofopncook.c:200)
> ==50066==    by 0x5895DB: tcptls_stream_fopen (tcptls.c:506)
> ==50066==    by 0x589895: handle_tcptls_connection (tcptls.c:592)
> ==50066==    by 0x599DDB: dummy_start (utils.c:1192)
> ==50066==    by 0x37CA2079D0: start_thread (pthread_create.c:301)
> ==50066==    by 0x37C9EE89DC: clone (clone.S:115)
> ==50066==  Uninitialised value was created by a stack allocation
> ==50066==    at 0x9F86EA9: ast_websocket_close (res_http_websocket.c:193)
> ==50066==
> {code}
> Patch attached bellow



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list