OpenSAF / Tickets / #2424 amfnd: illegal memory access in avnd_comptype

#2424 amfnd: illegal memory access in avnd_comptype_delete()

Milestone: 5.17.07

Status: fixed

Owner: Hoa Le

Labels: None

Type: defect

Component: amf

Part: nd

Version:

Priority: minor

Blocker: False

Updated: 2017-07-27

Created: 2017-04-12

Creator: Hoa Le

Private: No

There are some unsafe memory accesses in avnd_comptype_delete() function. This caused segfault as in attachment.

/src/amf/amfnd/compdb.cc

static amf_comp_type_t *avnd_comptype_create(SaImmHandleT immOmHandle, const std::string& dn)
{
    int rc = -1;
...
    if (amf_saImmOmAccessorGet_o2(immOmHandle, accessorHandle, dn, nullptr, (SaImmAttrValuesT_2 ***)&attributes) != SA_AIS_OK) {
        LOG_ER("amf_saImmOmAccessorGet_o2 FAILED for '%s'", dn.c_str());
        goto done;
    }
...
 done:
    if (rc != 0) {
        avnd_comptype_delete(compt);
        compt = nullptr;
    }
...
}

static void avnd_comptype_delete(amf_comp_type_t *compt)
{
...
    /* Free saAmfCtDefInstantiateCmdArgv[i] before freeing saAmfCtDefInstantiateCmdArgv */
    arg_counter = 0;
    while ((argv = compt->saAmfCtDefInstantiateCmdArgv[arg_counter++]) != nullptr)
...
}

In this case, compt->saAmfCtDefInstantiateCmdArgv was NULL, accessing to compt->saAmfCtDefInstantiateCmdArgv[arg_counter++]) caused a segmentation fault.

1 Attachments

bt_core.1491307159.osafamfnd.428.PL-5

Hoa Le - 2017-04-12

status: assigned --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Gary Lee - 2017-05-01

status: review --> fixed

Blocker: --> False
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

commit 6146f2e39e9dab9e8aaedd323c801359908cadd7
Author: Hoa Le hoa.le@dektech.com.au
Date: Tue Apr 25 09:21:29 2017 +0700

amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]

Problem:
- There are some unsafe memory accesses which may cause segfault in
avnd_comptype_delete() function.

Fix:
- Check if a pointer is valid before accessing it.
- Minor update in avnd_comptype_create() function to avoid unnecessary
function call to avnd_comptype_delete().

commit a6dcc6a37fa7a37028a1b23e446312fa8aeb5677
Author: Hoa Le hoa.le@dektech.com.au
Date: Tue Apr 25 09:21:29 2017 +0700

amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]

Problem:
- There are some unsafe memory accesses which may cause segfault in
avnd_comptype_delete() function.

Fix:
- Check if a pointer is valid before accessing it.
- Minor update in avnd_comptype_create() function to avoid unnecessary
function call to avnd_comptype_delete().

changeset: 8786:9210d063ed44
tag: tip
user: Hoa Le hoa.le@dektech.com.au
date: Mon May 01 16:13:32 2017 +1000
summary: amfnd: Fix illegal memory access in avnd_comptype_delete [#2424]

Tickets: ~~#2424~~

Anders Widell - 2017-07-01

Milestone: 5.17.06 --> 5.17.08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

amfnd: illegal memory access in avnd_comptype_delete()

Milestone

Searches

Help

#2424 amfnd: illegal memory access in avnd_comptype_delete()

Related

Discussion

Related