[sr-dev] [tracker] Task opened: xavp_insert can corrupt linked list pointers

Wed Oct 8 16:43:13 CEST 2014

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Hugh Waite (hugh.waite) 

Attached to Project - sip-router
Summary - xavp_insert can corrupt linked list pointers
Task Type - Bug Report
Category - Core
Status - New
Assigned To - 
Operating System - All
Severity - High
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - I have identified a bug in xavp_insert() in xavp.c which will corrupt the linked list pointers when inserting an entry to a given index. This can lead to infinate loops when searching the list.
The following code will reproduce the issue:
<code>
static struct mi_root* mi_test_xavp(struct mi_root* cmd_tree, void* param)
{
  sr_xavp_t *xavp_list = NULL;
  sr_xavp_t *axavp = NULL;
  sr_xavp_t *bxavp = NULL;
  sr_xval_t val;
  str myname = str_init("hugh");
  str othername = str_init("other");
  int ival = 100;

  val.type = SR_XTYPE_INT;
  val.v.i = ival++;

  xavp_add_xavp_value(&othername, &myname, &val, &axavp);
  LM_ERR("### axavp is\n\n");
  xavp_print_list(&axavp);

  val.v.i = ival++;
  xavp_add_xavp_value(&othername, &myname, &val, &bxavp);
  LM_ERR("### bxavp is\n\n");
  xavp_print_list(&bxavp);

  xavp_insert(axavp, 1, &xavp_list);
  LM_ERR("### After insert at pos 1\n");
  xavp_print_list(&xavp_list);

  /* This part is unreachable */

  xavp_insert(bxavp, 0, &xavp_list);
  LM_ERR("### After second insert at pos 0\n");

  xavp_print_list(&xavp_list);
  xavp_destroy_list(&xavp_list);

  return (init_mi_tree( 200, MI_OK_S, MI_OK_LEN ));
}</code>

I'm looking at xavp_insert (xavp.c:694) to see how to fix this.
When inserting with a non-zero index, the code attempts to pad the list with SR_XTYPE_NULL entries, so that the new entry will be accessible at the given index. This should be easily fixable.

I expect that the function should attempt to overwrite an SR_XTYPE_NULL entry at the correct position E.g. if items are inserted in reverse order.

I'll post a fix as soon as I have one for your comments.

Hugh

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=477

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.