Menu

#2424 amfnd: illegal memory access in avnd_comptype_delete()

5.17.07
fixed
Hoa Le
None
defect
amf
nd
minor
False
2017-07-27
2017-04-12
Hoa Le
No

There are some unsafe memory accesses in avnd_comptype_delete() function. This caused segfault as in attachment.

/src/amf/amfnd/compdb.cc

static amf_comp_type_t *avnd_comptype_create(SaImmHandleT immOmHandle, const std::string& dn)
{
    int rc = -1;
...
    if (amf_saImmOmAccessorGet_o2(immOmHandle, accessorHandle, dn, nullptr, (SaImmAttrValuesT_2 ***)&attributes) != SA_AIS_OK) {
        LOG_ER("amf_saImmOmAccessorGet_o2 FAILED for '%s'", dn.c_str());
        goto done;
    }
...
 done:
    if (rc != 0) {
        avnd_comptype_delete(compt);
        compt = nullptr;
    }
...
}

static void avnd_comptype_delete(amf_comp_type_t *compt)
{
...
    /* Free saAmfCtDefInstantiateCmdArgv[i] before freeing saAmfCtDefInstantiateCmdArgv */
    arg_counter = 0;
    while ((argv = compt->saAmfCtDefInstantiateCmdArgv[arg_counter++]) != nullptr)
...
}

In this case, compt->saAmfCtDefInstantiateCmdArgv was NULL, accessing to compt->saAmfCtDefInstantiateCmdArgv[arg_counter++]) caused a segmentation fault.

1 Attachments

Related

Tickets: #2424
Wiki: ChangeLog-5.17.07

Discussion

  • Hoa Le

    Hoa Le - 2017-04-12
    • status: assigned --> review
     
  • Gary Lee

    Gary Lee - 2017-05-01
    • status: review --> fixed
    • Blocker: --> False
     
  • Gary Lee

    Gary Lee - 2017-05-01

    commit 6146f2e39e9dab9e8aaedd323c801359908cadd7
    Author: Hoa Le hoa.le@dektech.com.au
    Date: Tue Apr 25 09:21:29 2017 +0700

    amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]
    
    Problem:
    - There are some unsafe memory accesses which may cause segfault in
    avnd_comptype_delete() function.
    
    Fix:
    - Check if a pointer is valid before accessing it.
    - Minor update in avnd_comptype_create() function to avoid unnecessary
    function call to avnd_comptype_delete().
    

    commit a6dcc6a37fa7a37028a1b23e446312fa8aeb5677
    Author: Hoa Le hoa.le@dektech.com.au
    Date: Tue Apr 25 09:21:29 2017 +0700

    amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]
    
    Problem:
    - There are some unsafe memory accesses which may cause segfault in
    avnd_comptype_delete() function.
    
    Fix:
    - Check if a pointer is valid before accessing it.
    - Minor update in avnd_comptype_create() function to avoid unnecessary
    function call to avnd_comptype_delete().
    

    changeset: 8786:9210d063ed44
    tag: tip
    user: Hoa Le hoa.le@dektech.com.au
    date: Mon May 01 16:13:32 2017 +1000
    summary: amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]

     

    Related

    Tickets: #2424

  • Anders Widell

    Anders Widell - 2017-07-01
    • Milestone: 5.17.06 --> 5.17.08
     

Log in to post a comment.