Wed May 13 10:50:41 CDT 2009 Pekka Pessi <first.last@nokia.com>

* msg: fixed possible leak in msg_params_d() with more than 16 params Ignore-this: a45ef326def7b1bcd14de4850f3c24ab Coverity issue. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@13336 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-05-15 16:05:15 +00:00 · 2009-05-15 16:05:15 +00:00 · 4c3b2bc4b5
commit 4c3b2bc4b5
parent 6f7641f94a
3 changed files with 32 additions and 7 deletions
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@ -1 +1 @@
-Fri May 15 11:04:08 CDT 2009
+Fri May 15 11:04:52 CDT 2009
--- a/libs/sofia-sip/libsofia-sip-ua/msg/msg_parser_util.c
+++ b/libs/sofia-sip/libsofia-sip-ua/msg/msg_parser_util.c
@ -415,12 +415,14 @@ issize_t msg_avlist_d(su_home_t *home,

    if (n == N) {
      /* Reallocate params */
-      char **nparams = su_alloc(home,
-				(N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
+      char const **nparams = su_realloc(home, params != stack ? params : NULL,
+					(N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
      if (!nparams) {
 	goto error;
      }
-      params = memcpy(nparams, params, n * sizeof(*params));
+      if (params == stack)
+	memcpy(nparams, stack, n * sizeof(*params));
+      params = nparams;
    }

    params[n++] = p;
@ -441,12 +443,14 @@ issize_t msg_avlist_d(su_home_t *home,
  }
  else if (n == N) {
    /* Reallocate params */
-    char **nparams = su_alloc(home,
-			      (N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
+    char const **nparams = su_realloc(home, params != stack ? params : NULL,
+				      (N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
    if (!nparams) {
      goto error;
    }
-    params = memcpy(nparams, params, n * sizeof(*params));
+    if (params == stack)
+      memcpy(nparams, stack, n * sizeof(*params));
+    params = nparams;
  }

  params[n] = NULL;
--- a/libs/sofia-sip/libsofia-sip-ua/msg/test_msg.c
+++ b/libs/sofia-sip/libsofia-sip-ua/msg/test_msg.c
@ -285,6 +285,24 @@ int test_header_parsing(void)
      su_free(home, (void *)p), p = NULL;
    }

+    master = ";0";
+
+    for (i = 1; i < 256; i++) {
+      master = su_sprintf(home, "%s; %u", master, i); TEST_1(master);
+      list = end = su_strdup(home, master);
+      TEST_1(msg_params_d(NULL, &end, &p) >= 0);
+      TEST_S(end, "");
+      TEST_1(p);
+      for (j = 0; j <= i; j++) {
+	char number[10];
+	snprintf(number, sizeof number, "%u", j);
+	TEST_S(p[j], number);
+      }
+      TEST_1(p[i + 1] == NULL);
+      su_free(home, list);
+      su_free(NULL, (void *)p), p = NULL;
+    }
+
    su_home_deinit(home);
  }

@ -722,6 +740,8 @@ int test_msg_parsing(void)
    TEST(msg_serialize(msg, (msg_pub_t *)tst), 0);
  }

+  msg_destroy(msg);
+
  /* Bug #2429 */
  orig = read_msg("GET a-life HTTP/1.1" CRLF
 		 "Foo: bar" CRLF
@ -734,6 +754,7 @@ int test_msg_parsing(void)
  TEST_1(otst);

  msg = msg_copy(orig);
+  msg_destroy(orig);
  tst = msg_test_public(msg);
  TEST_1(tst);