NULL ptr dereferences found with Calysto static checker

Danny Mayer mayer at ntp.isc.org
Fri Jun 8 21:50:18 EDT 2007


Domagoj Babic wrote:
> Hi,
> 
> I've ran my static checker Calysto ( http://www.calysto.org/ ) on krb 5.1.6.
> Here's the postprocessed report:
> 
> + krb5-1.6/src/util/support/fake-addrinfo.c:1336
> krb5int_getaddrinfo is a function with external linkage, which calls
> getaddrinfo (fake-addrinfo.c:1097), passing aip as the fourth parameter
> (received as **result). Without checking whether result is NULL or not,
> getaddrinfo passes it to system_getaddrinfo (which is actually
> getaddrinfo in netdb.h). system_getaddrinfo can set result to NULL if
> the system is out of memory. Code at
> krb5-1.6/src/util/support/fake-addrinfo.c:1143 dereferences result,
> without checking it.
> 
> + krb5-1.6/src/util/support/gmt_mktime.c:54 krb5int_gmt_mktime is a
> function with external linkage, dereferences parameter t without
> checking it.
> 
> + krb5-1.6/src/util/support/errors.c:155 same as above, for parameter
> ep.
> 
> + krb5-1.6/src/util/support/errors.c:77 same as above, same param.
> 
> + krb5-1.6/src/util/support/errors.c:54 similar as above - function
> krb5int_set_error calls krb5int_vset_error passing it ep pointer without
> checking it, which then krb5int_vset_error dereferences.
> 
> + krb5-1.6/src/util/support/plugins.c:647 pointer ptrs dereferenced
> without being checked first. Function also has external linkage.
> 
> + krb5-1.6/src/util/support/plugins.c:588 same as above.
> 
> + krb5-1.6/src/util/support/plugins.c:528 same as above, for parameter
> dirhandle.
> 
> + krb5-1.6/src/util/support/plugins.c:428 same as above, for parameter
> dirnames.
> 
> + krb5-1.6/src/util/support/plugins.c:515, same as above, for parameter
> dirhandle.
> 
> + krb5-1.6/src/util/support/plugins.c:260, same, parameter h
> 
> + krb5-1.6/src/util/support/plugins.c:189, same, param h
> 
> + krb5-1.6/src/util/support/plugins.c:251, same, param ptr
> 
> + krb5-1.6/src/util/support/plugins.c:230, same, param ptr
> 
> + krb5-1.6/src/util/support/threads.c:651, same, param m
> 
> + krb5-1.6/src/util/support/threads.c:646, same, param m
> 
> + krb5-1.6/src/util/support/threads.c:637, same, param m
> 
> + krb5-1.6/src/util/support/threads.c:631, same, param m
> 
> Note: Calysto reports warnings about unchecked dereferenced parameters
> only if a function F:
> 1) has external linkage,
> 2) parameter is dereferenced in F or any function called by F,
> 3) there is a feasible path from the entry block of F to the statement
> that dereferences the pointer, and
> 4) F is not called from any other function - in that case, Calysto has no
> context information about the parameters, and has to consider them to
> be undefined.
> 
> None of the functions mentioned above seem to be called from any
> other function in the compiled binary (compiled with llvm-gcc
> http://llvm.org/ ), although in the source I see that some are called
> from the code that didn't end up in the binary for some reason.
> Hence, Calysto assumes that those functions are library-like functions.
> 
> 
> I'd appreciate if you could let me know whether you consider these to
> be bugs or not and why.
> 
> 
> Besides these reports, there seem to be no other unckecked dereferences
> in krb, which certainly says a lot about the code quality - other open source
> projects I've checked so far have a larger number of non-trivial NULL ptr
> dereferences.
> 

If you see such things in NTP we'd be glad to know about it.

Danny

> Kind regards,
> 




More information about the Kerberos mailing list