Summary: | ASTERISK-26195: static analysis: Out of bound array access | ||
Reporter: | Matt Jordan (mjordan) | Labels: | |
Date Opened: | 2016-07-13 19:57:51 | Date Closed: | 2017-08-22 16:57:27 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Applications/app_voicemail Core/Channels Core/ManagerInterface |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) report-328195.html ( 1) report-6b239f.html ( 2) report-fee2e3.html | |
Description: | Clang's static analysis tool identified three potential out-of-bound array access violations:
# {{apps/app_voicemail.c}}: {code} 13141 if (!ast_strlen_zero(p->context)) { 5 ← Taking true branch → 13142 strcat(mwi_sub->mailbox, "@"); 6 ← String copy function overflows destination buffer 13143 strcat(mwi_sub->mailbox, p->context); 13144 } {code} # {{main/manager.c}}: {code} 6682 tmp->tv = ast_tvnow(); 6683 AST_RWLIST_NEXT(tmp, eq_next) = NULL; 6684 strcpy(tmp->eventdata, str); 7 ← String copy function overflows destination buffer 6685 6686 AST_RWLIST_WRLOCK(&all_events); {code} # {{main/channel.c}}: {code} 7384 if (!member) { 9 ← Assuming 'member' is non-null → 10 ← Taking false branch → 7385 ao2_ref(namedgroups, -1); 7386 return NULL; 7387 } 7388 strcpy(member->name, piece);/* Safe */ 11 ← String copy function overflows destination buffer 7389 member->hash = ast_str_hash(member->name); {code} See the attached reports on this issue for more information. | ||
Comments: | By: Sean Bright (seanbright) 2017-08-22 14:31:11.139-0500 I'm pretty sure that all of these are false positives. In all 3 cases, we are using the {{char\[1\]-as-last-member-of-struct}} "trick" and the buffer lengths appear to be calculated correctly. By: Richard Mudgett (rmudgett) 2017-08-22 16:57:27.602-0500 Yep. I agree with Sean's assessment of the three findings. They are false positives. |