There are some unsafe memory accesses in avnd_comptype_delete() function. This caused segfault as in attachment.
/src/amf/amfnd/compdb.cc static amf_comp_type_t *avnd_comptype_create(SaImmHandleT immOmHandle, const std::string& dn) { int rc = -1; ... if (amf_saImmOmAccessorGet_o2(immOmHandle, accessorHandle, dn, nullptr, (SaImmAttrValuesT_2 ***)&attributes) != SA_AIS_OK) { LOG_ER("amf_saImmOmAccessorGet_o2 FAILED for '%s'", dn.c_str()); goto done; } ... done: if (rc != 0) { avnd_comptype_delete(compt); compt = nullptr; } ... } static void avnd_comptype_delete(amf_comp_type_t *compt) { ... /* Free saAmfCtDefInstantiateCmdArgv[i] before freeing saAmfCtDefInstantiateCmdArgv */ arg_counter = 0; while ((argv = compt->saAmfCtDefInstantiateCmdArgv[arg_counter++]) != nullptr) ... }
In this case, compt->saAmfCtDefInstantiateCmdArgv was NULL, accessing to compt->saAmfCtDefInstantiateCmdArgv[arg_counter++]) caused a segmentation fault.
commit 6146f2e39e9dab9e8aaedd323c801359908cadd7
Author: Hoa Le hoa.le@dektech.com.au
Date: Tue Apr 25 09:21:29 2017 +0700
commit a6dcc6a37fa7a37028a1b23e446312fa8aeb5677
Author: Hoa Le hoa.le@dektech.com.au
Date: Tue Apr 25 09:21:29 2017 +0700
changeset: 8786:9210d063ed44
tag: tip
user: Hoa Le hoa.le@dektech.com.au
date: Mon May 01 16:13:32 2017 +1000
summary: amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]
Related
Tickets:
#2424