Hi, gcc 15 reports this warning from -Wanalyzer-use-after-free: ../../talkd/table.c:65:30: warning: use after 'free' of 'ptr' [CWE-416]
gcc is right here: Accessing ptr->next after calling free (ptr) (inside table_delete (ptr)) is invalid. Find attached a fix. How I found this: 1) Install gcc 15. 2) Build inetutils with CPPFLAGS="-Wall -fanalyzer -fstrict-flex-arrays -Warith-conversion -Wcast-align=strict -Wdate-time -Wdisabled-optimization -Wdouble-promotion -Wduplicated-branches -Wduplicated-cond -Wextra -Wformat-signedness -Wflex-array-member-not-at-end -Winit-self -Winvalid-pch -Wlogical-op -Wmissing-include-dirs -Wmissing-variable-declarations -Wnested-externs -Wnull-dereference -Wopenmp-simd -Woverlength-strings -Wpacked -Wpointer-arith -Wstrict-flex-arrays -Wstrict-overflow -Wsuggest-attribute=format -Wsuggest-final-methods -Wsuggest-final-types -Wsync-nand -Wtrampolines -Wuninitialized -Wunknown-pragmas -Wunsafe-loop-optimizations -Wvariadic-macros -Wvector-operation-performance -Wwrite-strings -Warray-bounds=2 -Wattribute-alias=2 -Wbidi-chars=any,ucn -Wformat-overflow=2 -Wformat=2 -Wformat-truncation=2 -Wimplicit-fallthrough=5 -Wshift-overflow=2 -Wuse-after-free=3 -Wunused-const-variable=2 -Wvla-larger-than=4031 -Wno-analyzer-malloc-leak -Wno-empty-body -Wno-analyzer-double-fclose -Wno-analyzer-double-free -Wno-analyzer-fd-double-close -Wno-analyzer-null-argument -Wno-analyzer-null-dereference -Wno-analyzer-use-of-uninitialized-value -Wno-cast-align -Wno-format-nonliteral -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -Wno-clobbered -Wshadow=local -Wno-cast-qual -Wno-conversion -Wno-float-equal -Wno-sign-compare -Wno-undef -Wno-unused-function -Wno-unused-parameter -Wno-float-conversion -Wimplicit-fallthrough -Wno-pedantic -Wno-sign-conversion -Wno-type-limits -Wno-unused-const-variable -Wno-unsuffixed-float-constants". 3) Extract the warnings from the compilation log: $ warnings-by-category compile-log The output is the set of warnings, sorted by category. (Not all warning categories have the same relevance.) Bruno
>From a6b5e97904f5a3711a4aa6ee3980dca6a4d3720b Mon Sep 17 00:00:00 2001
From: Bruno Haible <br...@clisp.org>
Date: Sat, 26 Apr 2025 15:53:08 +0200
Subject: [PATCH] talkd: Fix use-after-free bug.
* talkd/table.c (lookup_request): Fetch ptr->next before possibly deleting the
object at ptr.
---
talkd/table.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/talkd/table.c b/talkd/table.c
index 93befe22..2ad2f2d8 100644
--- a/talkd/table.c
+++ b/talkd/table.c
@@ -62,8 +62,10 @@ lookup_request (CTL_MSG *request,
if (debug)
print_request ("lookup_request", request);
- for (ptr = table; ptr; ptr = ptr->next)
+ for (ptr = table; ptr; )
{
+ table_t *next = ptr->next;
+
if (debug)
print_request ("comparing against: ", &ptr->request);
@@ -83,6 +85,8 @@ lookup_request (CTL_MSG *request,
return &ptr->request;
}
}
+
+ ptr = next;
}
if (debug)
syslog (LOG_DEBUG, "not found");
--
2.43.0
warnings-by-category
Description: application/shellscript
warnings.txt.gz
Description: application/gzip
