[Asterisk-code-review] fix: memory leaks, resource leaks, out of bounds and bugs (asterisk[master])

Alexei Gradinari asteriskteam at digium.com
Fri Jun 17 13:53:07 CDT 2016


Alexei Gradinari has uploaded a new change for review.

  https://gerrit.asterisk.org/3039

Change subject: fix: memory leaks, resource leaks, out of bounds and bugs
......................................................................

fix: memory leaks, resource leaks, out of bounds and bugs

ASTERISK-26119 #close

Change-Id: Iecbf7d0f360a021147344c4e83ab242fd1e7512c
---
M main/ast_expr2.c
M main/ast_expr2.y
M main/say.c
M res/ael/pval.c
M res/res_phoneprov.c
M res/res_pjsip_sdp_rtp.c
6 files changed, 71 insertions(+), 23 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/39/3039/1

diff --git a/main/ast_expr2.c b/main/ast_expr2.c
index c700b01..b914598 100644
--- a/main/ast_expr2.c
+++ b/main/ast_expr2.c
@@ -3669,13 +3669,20 @@
 	/* strip double quotes from both -- */
 	strip_quotes(a);
 	strip_quotes(b);
-	
+
 	vs = malloc(strlen(a->u.s)+strlen(b->u.s)+1);
+	if (vs == NULL) {
+		ast_log(LOG_WARNING, "malloc() failed\n");
+		return NULL;
+	}
+
 	strcpy(vs,a->u.s);
 	strcat(vs,b->u.s);
 
 	v = make_str(vs);
 
+	free(vs);
+
 	/* free arguments */
 	free_value(a);
 	free_value(b);
diff --git a/main/ast_expr2.y b/main/ast_expr2.y
index df87bcc..4203ebd 100644
--- a/main/ast_expr2.y
+++ b/main/ast_expr2.y
@@ -1664,11 +1664,18 @@
 	strip_quotes(b);
 	
 	vs = malloc(strlen(a->u.s)+strlen(b->u.s)+1);
+	if (vs == NULL) {
+		ast_log(LOG_WARNING, "malloc() failed\n");
+		return NULL;
+	}
+
 	strcpy(vs,a->u.s);
 	strcat(vs,b->u.s);
 
 	v = make_str(vs);
 
+	free(vs);
+
 	/* free arguments */
 	free_value(a);
 	free_value(b);
diff --git a/main/say.c b/main/say.c
index 6e51de2..a294a8c 100644
--- a/main/say.c
+++ b/main/say.c
@@ -8522,8 +8522,9 @@
                      case '\'':
                              /* Literal name of a sound file */
                              sndoffset=0;
-                             for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < 256) ; sndoffset++)
+                             for (sndoffset = 0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                      sndfile[sndoffset] = format[offset];
+                             }
                              sndfile[sndoffset] = '\0';
                              res = wait_file(chan,ints,sndfile,lang);
                              break;
diff --git a/res/ael/pval.c b/res/ael/pval.c
index d5ea5ac..2322e00 100644
--- a/res/ael/pval.c
+++ b/res/ael/pval.c
@@ -3356,9 +3356,9 @@
 #ifdef OLD_RAND_ACTION
 	struct ael_priority *rand_test, *rand_end, *rand_skip;
 #endif
-	char *buf1;
-	char *buf2;
-	char *new_label;
+	RAII_VAR(char *, buf1, NULL, ast_free);
+	RAII_VAR(char *, buf2, NULL, ast_free);
+	RAII_VAR(char *, new_label, NULL, ast_free);
 	char *strp, *strp2;
 	int default_exists;
 	int local_control_statement_count;
@@ -4192,9 +4192,6 @@
 			break;
 		}
 	}
-	free(buf1);
-	free(buf2);
-	free(new_label);
 	return 0;
 }
 
@@ -5053,7 +5050,10 @@
 pval *pvalCreateNode( pvaltype type )
 {
 	pval *p = calloc(1,sizeof(pval)); /* why, oh why, don't I use ast_calloc? Way, way, way too messy if I do! */
-	p->type = type;                   /* remember, this can be used externally or internally to asterisk */
+					  /* remember, this can be used externally or internally to asterisk */
+	if (p) {
+		p->type = type;
+	}
 	return p;
 }
 
@@ -5414,14 +5414,29 @@
 
 void pvalIncludesAddIncludeWithTimeConstraints( pval *p, const char *include, char *hour_range, char *dom_range, char *dow_range, char *month_range )
 {
-	pval *hr = pvalCreateNode(PV_WORD);
-	pval *dom = pvalCreateNode(PV_WORD);
-	pval *dow = pvalCreateNode(PV_WORD);
-	pval *mon = pvalCreateNode(PV_WORD);
-	pval *s = pvalCreateNode(PV_WORD);
-	
-	if (!pvalCheckType(p, "pvalIncludeAddIncludeWithTimeConstraints", PV_INCLUDES))
+	pval *hr;
+	pval *dom;
+	pval *dow;
+	pval *mon;
+	pval *s;
+
+	if (!pvalCheckType(p, "pvalIncludeAddIncludeWithTimeConstraints", PV_INCLUDES)) {
 		return;
+	}
+
+	hr = pvalCreateNode(PV_WORD);
+	dom = pvalCreateNode(PV_WORD);
+	dow = pvalCreateNode(PV_WORD);
+	mon = pvalCreateNode(PV_WORD);
+	s = pvalCreateNode(PV_WORD);
+
+	if (!hr || !dom || !dow || !mon || !s) {
+		destroy_pval(hr);
+		destroy_pval(dom);
+		destroy_pval(dow);
+		destroy_pval(mon);
+		destroy_pval(s);
+	}
 
 	s->u1.str = (char *)include;
 	p->u1.list = linku1(p->u1.list, s);
@@ -5668,12 +5683,27 @@
 
 void pvalIfTimeSetCondition( pval *p, char *hour_range, char *dow_range, char *dom_range, char *mon_range )  /* time range format: 24-hour format begin-end|dow range|dom range|month range */
 {
-	pval *hr = pvalCreateNode(PV_WORD);
-	pval *dow = pvalCreateNode(PV_WORD);
-	pval *dom = pvalCreateNode(PV_WORD);
-	pval *mon = pvalCreateNode(PV_WORD);
-	if (!pvalCheckType(p, "pvalIfTimeSetCondition", PV_IFTIME))
+	pval *hr;
+	pval *dow;
+	pval *dom;
+	pval *mon;
+
+	if (!pvalCheckType(p, "pvalIfTimeSetCondition", PV_IFTIME)) {
 		return;
+	}
+
+	hr = pvalCreateNode(PV_WORD);
+	dow = pvalCreateNode(PV_WORD);
+	dom = pvalCreateNode(PV_WORD);
+	mon = pvalCreateNode(PV_WORD);
+
+	if (!hr || !dom || !dow || !mon) {
+		destroy_pval(hr);
+		destroy_pval(dom);
+		destroy_pval(dow);
+		destroy_pval(mon);
+	}
+
 	pvalWordSetString(hr, hour_range);
 	pvalWordSetString(dow, dow_range);
 	pvalWordSetString(dom, dom_range);
diff --git a/res/res_phoneprov.c b/res/res_phoneprov.c
index b448c8e..2e4f873 100644
--- a/res/res_phoneprov.c
+++ b/res/res_phoneprov.c
@@ -410,10 +410,13 @@
 	fseek(f, 0, SEEK_END);
 	len = ftell(f);
 	fseek(f, 0, SEEK_SET);
-	if (!(*ret = ast_malloc(len + 1)))
+	if (!(*ret = ast_malloc(len + 1))) {
+		fclose(f);
 		return -2;
+	}
 
 	if (len != fread(*ret, sizeof(char), len, f)) {
+		fclose(f);
 		ast_free(*ret);
 		*ret = NULL;
 		return -3;
diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index 08e80a3..048209c 100644
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -429,7 +429,7 @@
 		*++tmp = '\0';
 		/* ast...generate gives us everything, just need value */
 		tmp = strchr(ast_str_buffer(fmtp0), ':');
-		if (tmp && tmp + 1) {
+		if (tmp && tmp[1] != '\0') {
 			fmtp1 = pj_str(tmp + 1);
 		} else {
 			fmtp1 = pj_str(ast_str_buffer(fmtp0));

-- 
To view, visit https://gerrit.asterisk.org/3039
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iecbf7d0f360a021147344c4e83ab242fd1e7512c
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Alexei Gradinari <alex2grad at gmail.com>



More information about the asterisk-code-review mailing list