[asterisk-bugs] [JIRA] (ASTERISK-26195) static analysis: Out of bound array access

Sean Bright (JIRA) noreply at issues.asterisk.org
Tue Aug 22 14:32:08 CDT 2017


    [ https://issues.asterisk.org/jira/browse/ASTERISK-26195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238173#comment-238173 ] 

Sean Bright commented on ASTERISK-26195:
----------------------------------------

I'm pretty sure that all of these are false positives. In all 3 cases, we are using the {{char\[1\]-as-last-member-of-struct}} "trick" and the buffer lengths appear to be calculated correctly.

> static analysis: Out of bound array access 
> -------------------------------------------
>
>                 Key: ASTERISK-26195
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26195
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Applications/app_voicemail, Core/Channels, Core/ManagerInterface
>            Reporter: Matt Jordan
>            Assignee: Matt Jordan
>         Attachments: report-328195.html, report-6b239f.html, report-fee2e3.html
>
>
> Clang's static analysis tool identified three potential out-of-bound array access violations:
> # {{apps/app_voicemail.c}}:
> {code}
> 13141		if (!ast_strlen_zero(p->context)) {
> 	
> 5
> 	
>> 	Taking true branch	
>> 13142			strcat(mwi_sub->mailbox, "@");
> 	
> 6
> 	
>> 	String copy function overflows destination buffer
> 13143			strcat(mwi_sub->mailbox, p->context);
> 13144		}
> {code}
> # {{main/manager.c}}:
> {code}
> 6682		tmp->tv = ast_tvnow();
> 6683		AST_RWLIST_NEXT(tmp, eq_next) = NULL;
> 6684		strcpy(tmp->eventdata, str);
> 	
> 7
> 	
>> 	String copy function overflows destination buffer
> 6685	 
> 6686		AST_RWLIST_WRLOCK(&all_events);
> {code}
> # {{main/channel.c}}:
> {code}
> 7384			if (!member) {
> 	
> 9
> 	
>> 	Assuming 'member' is non-null	
>> 	
> 10
> 	
>> 	Taking false branch	
>> 7385				ao2_ref(namedgroups, -1);
> 7386				return NULL;
> 7387			}
> 7388			strcpy(member->name, piece);/* Safe */
> 	
> 11
> 	
>> 	String copy function overflows destination buffer
> 7389			member->hash = ast_str_hash(member->name);
> {code}
> See the attached reports on this issue for more information.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list