[asterisk-bugs] [JIRA] (ASTERISK-25761) USAN: Potential runtime errors causing undefined behavior

Corey Farrell (JIRA) noreply at issues.asterisk.org
Fri Feb 12 13:01:32 CST 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=229468#comment-229468 ] 

Corey Farrell commented on ASTERISK-25761:
------------------------------------------

I've commented on each of the findings.

I think these should be ignored, the hash functions are not actually undefined, 
{quote}
/root/asterisk-13.7.0/include/asterisk/strings.h	1181	15	 runtime error	 signed integer overflow  193410279 * 33 cannot be represented in type 'int'
/root/asterisk-13.7.0/include/asterisk/strings.h	1221	15	 runtime error	 signed integer overflow  193404514 * 33 cannot be represented in type 'int'
{quote}

These should have slight modification to the code.  Instead of {{(1 << 31)}} it should say {{(1U << 31)}} for chan_sip flags, {{(1ULL << 31)}} for chan_iax flags.
{quote}
chan_iax2.c	13511	2	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c	8724	2	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c	8725	2	 runtime error	 left shift of 3 by 30 places cannot be represented in type 'int'
chan_sip.c	29976	3	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c	29977	3	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c	30304	2	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c	30305	2	 runtime error	 left shift of 3 by 30 places cannot be represented in type 'int'
{quote}

This looks like an actual bug.  The header contains {{#define EDIT_DISABLED 1<<2}}, then the source uses {{el->el_flags &= ~EDIT_DISABLED;}}.  This source becomes {{el->el_flags &= (~1)<<2;}}.  Is this an issue on the real editline library?  If so a ticket should be opened upstream (and maybe with the major distros).
{quote}
el.c	244	21	 runtime error	 left shift of negative value -2
{quote}

These each require a backtrace to troubleshoot.
{quote}
format_cap.c	173	7	 runtime error	 null pointer passed as argument 2, which is declared to never be null
stasis_message_router.c	113	8	 runtime error	 null pointer passed as argument 2, which is declared to never be null
stasis.c	913	8	 runtime error	 null pointer passed as argument 2, which is declared to never be null
{quote}

The following are codecs.  I'm not sure if these are coding error's, if they should be unsigned variables instead of signed, or if they are intentionally taking advantage of the behavior.  Can the "left shift of negative value" warning be suppressed for everything within the codecs folder?
{quote}
codec_adpcm.c	151	23	 runtime error	 left shift of negative value -4
codec_g726.c	621	25	 runtime error	 left shift of negative value -12
codec_g726.c	678	25	 runtime error	 left shift of negative value -12
g722/g722_decode.c	80	39	 runtime error	 left shift of negative value -192
g722/g722_decode.c	373	49	 runtime error	 left shift of negative value -1
g722/g722_encode.c	80	39	 runtime error	 left shift of negative value -1
src/lpc.c	156	28	 runtime error	 left shift of negative value -2961983
src/lpc.c	235	42	 runtime error	 left shift of negative value -3457934
src/preprocess.c	92	8	 runtime error	 left shift of negative value -4
src/rpe.c	336	16	 runtime error	 left shift of negative value -4
src/rpe.c	380	8	 runtime error	 left shift of negative value -1
src/short_term.c	64	2	 runtime error	 left shift of negative value -18
src/short_term.c	67	2	 runtime error	 left shift of negative value -2560
src/short_term.c	70	2	 runtime error	 left shift of negative value -1792
src/short_term.c	71	2	 runtime error	 left shift of negative value -341
src/short_term.c	72	2	 runtime error	 left shift of negative value -1
{quote}

Well {{~0L}} does equal -1.  I'm not sure if this is a problem, or how we would fix/suppress this warning.  I'm also unsure if/how this would cause incorrect behavior.
{quote}
stdtime/localtime.c	828	20	 runtime error	 left shift of negative value -1
{quote}

> USAN: Potential runtime errors causing undefined behavior
> ---------------------------------------------------------
>
>                 Key: ASTERISK-25761
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25761
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 13.7.0
>         Environment: gcc version 5.2.1 20150902 (Red Hat 5.2.1-2) (GCC)
>            Reporter: Badalian Vyacheslav
>            Severity: Minor
>
> Hello!
> I send you a list of the errors found. Usan test. All errors are shown at the time of loading of modules. I hope you would be interested :)
> {code}
> /root/asterisk-13.7.0/include/asterisk/strings.h	1181	15	 runtime error	 signed integer overflow  193410279 * 33 cannot be represented in type 'int'
> /root/asterisk-13.7.0/include/asterisk/strings.h	1221	15	 runtime error	 signed integer overflow  193404514 * 33 cannot be represented in type 'int'
> chan_iax2.c	13511	2	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
> chan_sip.c	8724	2	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
> chan_sip.c	8725	2	 runtime error	 left shift of 3 by 30 places cannot be represented in type 'int'
> chan_sip.c	29976	3	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
> chan_sip.c	29977	3	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
> chan_sip.c	30304	2	 runtime error	 left shift of 1 by 31 places cannot be represented in type 'int'
> chan_sip.c	30305	2	 runtime error	 left shift of 3 by 30 places cannot be represented in type 'int'
> codec_adpcm.c	151	23	 runtime error	 left shift of negative value -4
> codec_g726.c	621	25	 runtime error	 left shift of negative value -12
> codec_g726.c	678	25	 runtime error	 left shift of negative value -12
> el.c	244	21	 runtime error	 left shift of negative value -2
> format_cap.c	173	7	 runtime error	 null pointer passed as argument 2, which is declared to never be null
> g722/g722_decode.c	80	39	 runtime error	 left shift of negative value -192
> g722/g722_decode.c	373	49	 runtime error	 left shift of negative value -1
> g722/g722_encode.c	80	39	 runtime error	 left shift of negative value -1
> src/lpc.c	156	28	 runtime error	 left shift of negative value -2961983
> src/lpc.c	235	42	 runtime error	 left shift of negative value -3457934
> src/preprocess.c	92	8	 runtime error	 left shift of negative value -4
> src/rpe.c	336	16	 runtime error	 left shift of negative value -4
> src/rpe.c	380	8	 runtime error	 left shift of negative value -1
> src/short_term.c	64	2	 runtime error	 left shift of negative value -18
> src/short_term.c	67	2	 runtime error	 left shift of negative value -2560
> src/short_term.c	70	2	 runtime error	 left shift of negative value -1792
> src/short_term.c	71	2	 runtime error	 left shift of negative value -341
> src/short_term.c	72	2	 runtime error	 left shift of negative value -1
> stasis_message_router.c	113	8	 runtime error	 null pointer passed as argument 2, which is declared to never be null
> stasis.c	913	8	 runtime error	 null pointer passed as argument 2, which is declared to never be null
> stdtime/localtime.c	828	20	 runtime error	 left shift of negative value -1
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list