On 32 bit systems I noticed the following warnings when compiling which I think
indicate that 32 bit systems can crash with an illegal memory access:
-------------------------------------------------------
ucontact.c: In function ‘ucontact_coords_cmp’:
ucontact.c:1036:6: warning: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
a = (ucontact_sip_coords *)_a;
^
ucontact.c:1037:6: warning: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
b = (ucontact_sip_coords *)_b;
^
In file included from ../../resolve.h:45,
from ../../proxy.h:75,
from ucontact.h:44,
from ucontact.c:34:
ucontact.c: In function ‘free_ucontact_coords’:
ucontact.c:1049:12: warning: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
shm_free((ucontact_sip_coords *)coords);
^
../../mem/shm_mem.h:513:38: note: in definition of macro ‘shm_free’
#define shm_free( _ptr ) _shm_free( (_ptr), \
^~~~
dlist.c: In function ‘delete_ucontact_from_coords’:
dlist.c:1216:34: warning: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
if (cdb_delete_ucontact_coords((ucontact_sip_coords *)ct_coords)) {
^
-------------------------------------------------------
The variables in question are of type ucontact_coords which is a 64 bit
integer. Whenever that type is cast into a pointer it will be truncated to 32
bits on 32 bit platforms which can result in illegal memory access. I have not
yet run opensips on a 32 bit system, but I noticed these while compiling it.
Next I got this warning when compiling on both 32 and 64 bit systems:
32 bit warning:
-------------------------------------------------------------
In file included from /usr/include/string.h:494,
from /usr/include/i386-linux-gnu/sys/un.h:37,
from timeout_process.c:27:
In function ‘memcpy’,
inlined from ‘sockaddr2ip_addr’ at ../../parser/../ip_addr.h:212:4,
inlined from ‘timeout_listener_process’ at timeout_process.c:248:6:
/usr/include/i386-linux-gnu/bits/string_fortified.h:34:10: warning:
‘__builtin_memcpy’ forming offset [17, 24] is ou
t of the bounds [0, 16] of object ‘rtpp_info’ with type ‘struct sockaddr’
[-Warray-bounds]
return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
timeout_process.c: In function ‘timeout_listener_process’:
timeout_process.c:76:18: note: ‘rtpp_info’ declared here
struct sockaddr rtpp_info;
^~~~~~~~~
timeout_process.c:235:8: warning: ‘__builtin_memcmp_eq’ reading 16 bytes from a
region of size 8 [-Wstringop-overflow=]
memcmp(rtpp_lst->addr, s_in6->sin6_addr.s6_addr, 16) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------------------------------------------------------
64 bit warning:
-------------------------------------------------------------
timeout_process.c: In function ‘timeout_listener_process’:
timeout_process.c:235:8: warning: ‘__builtin_memcmp_eq’ reading 16 bytes from a
region of size 8 [-Wstringop-overflow=]
memcmp(rtpp_lst->addr, s_in6->sin6_addr.s6_addr, 16) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------------------------------------------------------
which also seems to indicate accessing memory out of bounds.
The next warnings I only noticed when compiling on 64 bit. Not sure why they do
not show up on 32 bit, if the problem depends on architecture or is caused by
the slight difference in compilers (I used gcc 8.2.0 on 32 bit and gcc 8.3.0 on
64 bit):
-------------------------------------------------------------
libsms_getsms.c: In function ‘splitascii.isra.1’:
libsms_getsms.c:286:2: warning: ‘strncpy’ specified bound 500 equals
destination size [-Wstringop-truncation]
strncpy(sms->ascii,start,sizeof(sms->ascii));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libsms_getsms.c:302:2: warning: ‘strncpy’ specified bound 31 equals destination
size [-Wstringop-truncation]
strncpy(sms->sender,start,sizeof(sms->sender));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libsms_getsms.c:316:3: warning: ‘strncpy’ specified bound 64 equals destination
size [-Wstringop-truncation]
strncpy(sms->name,start,sizeof(sms->name));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
esl/src/esl.c: In function ‘esl_recv_event’:
esl/src/esl.c:1406:4: warning: ‘strncpy’ specified bound 1024 equals
destination size [-Wstringop-truncation]
strncpy(handle->last_reply, hval, sizeof(handle->last_reply));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘esl_send_recv_timed.part.6’,
inlined from ‘esl_send_recv_timed’ at esl/src/esl.c:1537:27:
esl/src/esl.c:1604:5: warning: ‘strncpy’ specified bound 1024 equals
destination size [-Wstringop-truncation]
strncpy(handle->last_sr_reply, hval, sizeof(handle->last_sr_reply));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from esl/src/esl_config.c:34:
esl/src/esl_config.c: In function ‘esl_config_open_file’:
esl/src/include/esl.h:43:37: warning: ‘strncpy’ output may be truncated copying
511 bytes from a string of length 1023 [-Wstringop-truncation]
#define esl_copy_string(_x, _y, _z) strncpy(_x, _y, _z - 1)
^~~~~~~~~~~~~~~~~~~~~~~
esl/src/include/esl.h:44:32: note: in expansion of macro ‘esl_copy_string’
#define esl_set_string(_x, _y) esl_copy_string(_x, _y, sizeof(_x))
^~~~~~~~~~~~~~~
esl/src/esl_config.c:72:4: note: in expansion of macro ‘esl_set_string’
esl_set_string(cfg->path, path);
^~~~~~~~~~~~~~
xjab_wlist.c: In function ‘xj_wlist_set_aliases’:
xjab_wlist.c:473:3: warning: ‘strncpy’ output truncated before terminating nul
copying as many bytes from a string as its length [-Wstringop-truncation]
strncpy(p0, pa, i);
^~~~~~~~~~~~~~~~~~
xjab_wlist.c:455:34: note: length computed here
i = jwl->aliases->proxy->len = strlen(pa);
^~~~~~~~~~
iniparser.c: In function ‘iniparser_add_entry’:
iniparser.c:568:4: warning: ‘strncpy’ specified bound depends on the length of
the source argument [-Wstringop-overflow=]
strncpy(longkey, sec, len + 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
iniparser.c:565:17: note: length computed here
size_t len = strlen(sec);
^~~~~~~~~~~
rest_methods.c: In function ‘trace_rest_request_cb’:
rest_methods.c:142:4: warning: ‘strncpy’ specified bound 46 equals destination
size [-Wstringop-truncation]
strncpy( tparam->local_ip, ip, INET6_ADDRSTRLEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rest_methods.c:152:4: warning: ‘strncpy’ specified bound 46 equals destination
size [-Wstringop-truncation]
strncpy( tparam->remote_ip, ip, INET6_ADDRSTRLEN);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
opensipsunix.c: In function ‘main’:
opensipsunix.c:93:2: warning: ‘strncpy’ output truncated before terminating nul
copying as many bytes from a string as its length [-Wstringop-truncation]
strncpy(from.sun_path, name, strlen(name));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bdb_recover.c: In function ‘extract_key’:
bdb_recover.c:487:2: warning: ‘strncpy’ output truncated before terminating nul
copying as many bytes from a string as its length [-Wstringop-truncation]
strncpy(buf, d, len);
^~~~~~~~~~~~~~~~~~~~
bdb_recover.c:486:8: note: length computed here
len = strlen(d);
^~~~~~~~~
bdb_recover.c:498:5: warning: ‘strncpy’ output truncated before terminating nul
copying as many bytes from a string as its length [-Wstringop-truncation]
strncpy(p, s, len);
^~~~~~~~~~~~~~~~~~
bdb_recover.c:493:9: note: length computed here
len = strlen(s);
^~~~~~~~~
bdb_recover.c: In function ‘create_table’:
bdb_recover.c:795:2: warning: ‘strncpy’ specified bound depends on the length
of the source argument [-Wstringop-overflow=]
strncpy(tp->name, _s, i);
^~~~~~~~~~~~~~~~~~~~~~~~
bdb_recover.c:793:4: note: length computed here
i=strlen(_s)+1;
^~~~~~~~~~
-------------------------------------------------------------
--
Dan
_______________________________________________
Devel mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
