Menu

#336 dereference of null pointer bufferevent pointer

For_2.1
open
Nick Mathewson
None
5
2014-08-09
2014-06-30
kuldeep gupta
No

Dear nick,

I am looking into issues in libevent using static analyzer.
I checked there are some issues with respect to null check.

Please check the below pull requests at git hub.

https://github.com/libevent/libevent/pull/152/files
https://github.com/libevent/libevent/pull/151/files
https://github.com/libevent/libevent/pull/150/files
https://github.com/libevent/libevent/pull/149/files
https://github.com/libevent/libevent/pull/148/files

I request you to review these pull requests and give your valuable comments.
and Merge if those fixes the null dereferencing issues.

Explaination of one of issue in the below pull request:

https://github.com/libevent/libevent/pull/151/files

In the below function of buffereevent_filter.c
before dereferencing the buffer event filter pointer we should check for null as upcast api might return null.

static int be_filter_disable(struct bufferevent *bev, short event)
{

//1. returned_null: upcast returns null.
//2. var_assigned: Assigning: bevf = null return value from upcast.

struct bufferevent_filtered *bevf = upcast(bev);

############################################################################
// upcast defination
   upcast(struct bufferevent *bev)
{
       struct bufferevent_filtered *bev_f;
 // 1.  Condition bev->be_ops != &bufferevent_ops_filter, taking true branch
       if (bev->be_ops != &bufferevent_ops_filter)   
    //  2. return_null: Explicitly returning null.
              return NULL;
    bev_f = (void*)( ((char*)bev) - evutil_offsetof(struct bufferevent_filtered, bev.bev));

EVUTIL_ASSERT(bev_f->bev.bev.be_ops == &bufferevent_ops_filter);
    return bev_f;
}
############################################################################

//3. Condition event & 4, taking true branch

    if (event & EV_WRITE)
            BEV_DEL_GENERIC_WRITE_TIMEOUT(bev);

//4. Condition event & 2, taking true branch
if (event & EV_READ) {
BEV_DEL_GENERIC_READ_TIMEOUT(bev);

//Dereference null return value (NULL_RETURNS)
//5. dereference: Dereferencing a null pointer bevf.

bufferevent_suspend_read(bevf->underlying, BEV_SUSPEND_FILT_READ);
                             ################ 
  }
   return 0;

}

Thanks & Regards,
Kuldeep Gupta

Discussion

Log in to post a comment.