NULL ptr dereferences found with Calysto static checker

Domagoj Babic babic.domagoj at gmail.com
Wed Jun 6 19:20:25 EDT 2007 

Hi,

I've ran my static checker Calysto ( http://www.calysto.org/ ) on krb 5.1.6.
Here's the postprocessed report:

+ krb5-1.6/src/util/support/fake-addrinfo.c:1336
krb5int_getaddrinfo is a function with external linkage, which calls
getaddrinfo (fake-addrinfo.c:1097), passing aip as the fourth parameter
(received as **result). Without checking whether result is NULL or not,
getaddrinfo passes it to system_getaddrinfo (which is actually
getaddrinfo in netdb.h). system_getaddrinfo can set result to NULL if
the system is out of memory. Code at
krb5-1.6/src/util/support/fake-addrinfo.c:1143 dereferences result,
without checking it.

+ krb5-1.6/src/util/support/gmt_mktime.c:54 krb5int_gmt_mktime is a
function with external linkage, dereferences parameter t without
checking it.

+ krb5-1.6/src/util/support/errors.c:155 same as above, for parameter
ep.

+ krb5-1.6/src/util/support/errors.c:77 same as above, same param.

+ krb5-1.6/src/util/support/errors.c:54 similar as above - function
krb5int_set_error calls krb5int_vset_error passing it ep pointer without
checking it, which then krb5int_vset_error dereferences.

+ krb5-1.6/src/util/support/plugins.c:647 pointer ptrs dereferenced
without being checked first. Function also has external linkage.

+ krb5-1.6/src/util/support/plugins.c:588 same as above.

+ krb5-1.6/src/util/support/plugins.c:528 same as above, for parameter
dirhandle.

+ krb5-1.6/src/util/support/plugins.c:428 same as above, for parameter
dirnames.

+ krb5-1.6/src/util/support/plugins.c:515, same as above, for parameter
dirhandle.

+ krb5-1.6/src/util/support/plugins.c:260, same, parameter h

+ krb5-1.6/src/util/support/plugins.c:189, same, param h

+ krb5-1.6/src/util/support/plugins.c:251, same, param ptr

+ krb5-1.6/src/util/support/plugins.c:230, same, param ptr

+ krb5-1.6/src/util/support/threads.c:651, same, param m

+ krb5-1.6/src/util/support/threads.c:646, same, param m

+ krb5-1.6/src/util/support/threads.c:637, same, param m

+ krb5-1.6/src/util/support/threads.c:631, same, param m

Note: Calysto reports warnings about unchecked dereferenced parameters
only if a function F:
1) has external linkage,
2) parameter is dereferenced in F or any function called by F,
3) there is a feasible path from the entry block of F to the statement
that dereferences the pointer, and
4) F is not called from any other function - in that case, Calysto has no
context information about the parameters, and has to consider them to
be undefined.

None of the functions mentioned above seem to be called from any
other function in the compiled binary (compiled with llvm-gcc
http://llvm.org/ ), although in the source I see that some are called
from the code that didn't end up in the binary for some reason.
Hence, Calysto assumes that those functions are library-like functions.


I'd appreciate if you could let me know whether you consider these to
be bugs or not and why.


Besides these reports, there seem to be no other unckecked dereferences
in krb, which certainly says a lot about the code quality - other open source
projects I've checked so far have a larger number of non-trivial NULL ptr
dereferences.

Kind regards,

-- 
        Domagoj Babic

        http://www.domagoj.info/

More information about the Kerberos mailing list