freecwmp
[Top] [All Lists]

A dangling pointer in libfreecwmp

To: "freecwmp@linux-mips.org" <freecwmp@linux-mips.org>
Subject: A dangling pointer in libfreecwmp
From: Rajsek Miroslav <miroslav.rajsek@innbox.net>
Date: Tue, 19 Feb 2013 10:21:13 +0100
Accept-language: sl-SI
Acceptlanguage: sl-SI
Original-recipient: rfc822;freecwmp@linux-mips.org
Sender: freecwmp-bounce@linux-mips.org
Thread-index: AQHODoJ2V3ZFcUY5n0SfALkujqa1cw==
Thread-topic: A dangling pointer in libfreecwmp
Hi Luka, hi everybody

I have tested freecwmpd with valgrind and have got some errors of the same kind 
like the one below, originated from libfreecwmp:

==2414== Invalid read of size 1
==2414==    at 0x4133D7A: __GI_memcpy (memcpy.S:78)
==2414==    by 0x4059171: mxmlNewText (mxml-node.c:557)
==2414==    by 0x804F81E: xml_prepare_inform_message (xml.c:271)
==2414==    by 0x804BFBA: cwmp_inform (cwmp.c:90)
==2414==    by 0x4049E30: uloop_run (uloop.c:476)
==2414==    by 0x804D22D: main (freecwmp.c:284)
==2414==  Address 0xbef2f0f4 is not stack'd, malloc'd or (recently) free'd

With regard to this, there was a warning of a dangling reference when compiling 
libfreecwmp:
../src/freecwmp.c: In function ‘lfc_get_current_time’:
../src/freecwmp.c:157: warning: function returns address of local variable

Although I found no problem in runtime, maybe just for the case that someone 
sometime would store the return value and use it much later, after that part of 
memory in stack would be reused (as it is considered free in stack when it 
comes out of scope)
The patch below is more like the shortest way, so there is no need to modify 
the way how lfc_get_current_time is called from xml.c; just using static to 
force only one allocation somewhere out from stack and heap for the whole 
freecwmpd living time. Perhaps more common would be returning a pointer to what 
would be allocated in heap, but that would require calling free() in xml.c.

The #include<string.h> line has nothing to do with the above; it was only a 
compiler warning of incompatible implicit declaration of built-in function 
‘memset’.

Regards,

Miroslav
------------------------------------

Signed-off-by: Miroslav Rajsek <miroslav.rajsek@innbox.net>
---
 src/freecwmp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/freecwmp.c b/src/freecwmp.c
index fca772a..40f325d 100644
--- a/src/freecwmp.c
+++ b/src/freecwmp.c
@@ -12,6 +12,7 @@
 #include <stdio.h>
 #include <syslog.h>
 #include <time.h>
+#include <string.h>

 #include "libfreecwmp.h"

@@ -148,7 +149,7 @@ char * lfc_get_current_time(char *format)
  tm_c = localtime(&time_c);
  if (tm_c == NULL) return NULL;

- char buf[BUFSIZ];
+ static char buf[BUFSIZ];
  memset(buf, 0, BUFSIZ);

  if (strftime(buf, sizeof(buf), format, tm_c) == 0) return NULL;
--
1.7.0.4

This e-mail and any attachments may contain confidential and/or privileged 
information and is intended solely for the addressee. Any unauthorised use, 
review, retransmissions, dissemination, copying or other use of this 
information by persons or entities other than the intended recipient is 
strictly prohibited.

To elektronsko sporočilo in vse morebitne priloge lahko vsebujejo informacije 
zaupne narave in so namenjene izključno naslovniku. Fizični ali pravni osebi, 
ki ni naslovnik, je kakršnakoli nepooblaščena uporaba, pregledovanje, 
pošiljanje, razširjanje, kopiranje ali drug način razpolaganja z vsebino 
sporočila strogo prepovedana.

<Prev in Thread] Current Thread [Next in Thread>
  • A dangling pointer in libfreecwmp, Rajsek Miroslav <=