首页 发现 帮助
注册 登录
Apq
/
coturn
镜像自地址 https://github.com/coturn/coturn.git
1
0
派生 0
文件 工单管理 0 Wiki
浏览代码

addressed null pointer deref warnings (#1712)

addressing issues raised by code scanning, specifically null pointer
dereferences in server

ns_turn_server.c
-
[33](https://github.com/redraincatching/coturn/security/code-scanning/33)
ignored, the `is_rfc5780()` function exits early if the server is null
- this also catches
[36](https://github.com/redraincatching/coturn/security/code-scanning/36)
-
[34](https://github.com/redraincatching/coturn/security/code-scanning/34)
addressed
-
[174](https://github.com/redraincatching/coturn/security/code-scanning/174)
addressed

ns_turn_maps.c
-
[27](https://github.com/redraincatching/coturn/security/code-scanning/27),
[160](https://github.com/redraincatching/coturn/security/code-scanning/160),
[161](https://github.com/redraincatching/coturn/security/code-scanning/161),
[162](https://github.com/redraincatching/coturn/security/code-scanning/162),
[163](https://github.com/redraincatching/coturn/security/code-scanning/163),
[164](https://github.com/redraincatching/coturn/security/code-scanning/164),
[165](https://github.com/redraincatching/coturn/security/code-scanning/165)
false positives, suppressed with assert()

ns_turn_allocations.c
-
[9](https://github.com/redraincatching/coturn/security/code-scanning/9)
addressed

---------

Co-authored-by: Gustavo Garcia <[email protected]>
Co-authored-by: Copilot <[email protected]>
redraincatching 3 月之前
父节点
cb74638149
当前提交
16f801f646
共有 3 个文件被更改,包括 24 次插入0 次删除
分列视图 显示文件统计
  1. 5 0
      src/server/ns_turn_allocation.c
  2. 7 0
      src/server/ns_turn_maps.c
  3. 12 0
      src/server/ns_turn_server.c

+ 5 - 0
src/server/ns_turn_allocation.c
查看文件 

@@ -725,6 +725,11 @@ void add_unsent_buffer(unsent_buffer *ub, ioa_network_buffer_handle nbh) {
 
     ioa_network_buffer_delete(NULL, nbh);
 
   } else {
 
     ub->bufs = (ioa_network_buffer_handle *)realloc(ub->bufs, sizeof(ioa_network_buffer_handle) * (ub->sz + 1));
 
+    if (!ub->bufs) {
 
+      TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Memory allocation failed in add_unsent_buffer\n");
 
+      ioa_network_buffer_delete(NULL, nbh);
 
+      return;
 
+    }
 
     ub->bufs[ub->sz] = nbh;
 
     ub->sz += 1;
 
   }

+ 7 - 0
src/server/ns_turn_maps.c
查看文件 

@@ -38,6 +38,7 @@
 
 
 #include "ns_turn_khash.h"
 
 
+#include <assert.h> // for assert
 
 #include <stdlib.h> // for size_t, free, malloc, NULL, realloc
 
 #include <string.h> // for memset, strcmp, memcpy, strlen
 
 
@@ -261,6 +262,8 @@ bool lm_map_put(lm_map *map, ur_map_key_type key, ur_map_value_type value) {
 
           a->extra_values[i] = (ur_map_value_type *)malloc(sizeof(ur_map_value_type));
 
           valuep = a->extra_values[i];
 
         }
 
+        assert(keyp);
 
+        assert(valuep);
 
         *keyp = key;
 
         *valuep = value;
 
         return false;
 
@@ -271,11 +274,13 @@ bool lm_map_put(lm_map *map, ur_map_key_type key, ur_map_value_type value) {
 
   size_t old_sz = esz;
 
   size_t old_sz_mem = esz * sizeof(ur_map_key_type *);
 
   a->extra_keys = (ur_map_key_type **)realloc(a->extra_keys, old_sz_mem + sizeof(ur_map_key_type *));
 
+  assert(a->extra_keys);
 
   a->extra_keys[old_sz] = (ur_map_key_type *)malloc(sizeof(ur_map_key_type));
 
   *(a->extra_keys[old_sz]) = key;
 
 
   old_sz_mem = esz * sizeof(ur_map_value_type *);
 
   a->extra_values = (ur_map_value_type **)realloc(a->extra_values, old_sz_mem + sizeof(ur_map_value_type *));
 
+  assert(a->extra_values);
 
   a->extra_values[old_sz] = (ur_map_value_type *)malloc(sizeof(ur_map_value_type));
 
   *(a->extra_values[old_sz]) = value;
 
 
@@ -528,6 +533,7 @@ static void addr_list_add(addr_list_header *slh, const ioa_addr *key, ur_addr_ma
 
     size_t old_sz = slh->extra_sz;
 
     size_t old_sz_mem = old_sz * sizeof(addr_elem);
 
     slh->extra_list = (addr_elem *)realloc(slh->extra_list, old_sz_mem + sizeof(addr_elem));
 
+    assert(slh->extra_list);
 
     elem = &(slh->extra_list[old_sz]);
 
     slh->extra_sz += 1;
 
   }
 
@@ -947,6 +953,7 @@ ur_string_map *ur_string_map_create(ur_string_map_func del_value_func) {
 
     free(map);
 
     return NULL;
 
   }
 
+  assert(map);
 
   map->del_value_func = del_value_func;
 
   return map;
 
 }

+ 12 - 0
src/server/ns_turn_server.c
查看文件 

@@ -2938,6 +2938,10 @@ static int handle_turn_send(turn_turnserver *server, ts_ur_super_session *ss, in
 
   addr_set_any(&peer_addr);
 
   allocation *a = get_allocation_ss(ss);
 
 
+  if (!server) {
 
+    return -1;
 
+  }
 
+
 
   if (ss->is_tcp_relay) {
 
     *err_code = 403;
 
     *reason = (const uint8_t *)"Send cannot be used with TCP relay";
 
@@ -4102,6 +4106,10 @@ int shutdown_client_connection(turn_turnserver *server, ts_ur_super_session *ss,
 
     return -1;
 
   }
 
 
+  if (!server) {
 
+    return -1;
 
+  }
 
+
 
   SOCKET_TYPE socket_type = get_ioa_socket_type(ss->client_socket);
 
 
   turn_report_session_usage(ss, 1);
 
@@ -4228,6 +4236,10 @@ static int write_client_connection(turn_turnserver *server, ts_ur_super_session
 
 
   FUNCSTART;
 
 
+  if (!server) {
 
+    return -1;
 
+  }
 
+
 
   if (!(ss->client_socket)) {
 
     ioa_network_buffer_delete(server->e, nbh);
 
     FUNCEND;