Fix undefined behaviour reported by ubsan

* calling ddsrt_memdup, ddsrt_strdup with a null pointer (they handle it gracefully but forbid it in the interface ...) * replacement of all pre-C99 flexible arrays (i.e., declaring as array[1], then mallocing and using as if array[N]) by C99 flexible arrays. * also add a missing null-pointer test in dds_dispose_ts, and fix the test cases that pass a null pointer and a non-writer handle to it to instead pass an invalid adress Signed-off-by: Erik Boasson <eb@ilities.com>
2019-06-07 16:08:52 +02:00 · 2019-06-07 16:08:52 +02:00 · 0356af470d
commit 0356af470d
parent b3d6eec405
10 changed files with 37 additions and 42 deletions
--- a/src/core/ddsc/src/dds_instance.c
+++ b/src/core/ddsc/src/dds_instance.c
@ -238,6 +238,9 @@ dds_return_t dds_dispose_ts (dds_entity_t writer, const void *data, dds_time_t t
  dds_return_t ret;
  dds_writer *wr;

+  if (data == NULL)
+    return DDS_RETCODE_BAD_PARAMETER;
+
  if ((ret = dds_writer_lock (writer, &wr)) != DDS_RETCODE_OK)
    return ret;

--- a/src/core/ddsc/src/dds_qos.c
+++ b/src/core/ddsc/src/dds_qos.c
@ -22,7 +22,7 @@ static void dds_qos_data_copy_in (ddsi_octetseq_t *data, const void * __restrict
  if (overwrite && data->value)
    ddsrt_free (data->value);
  data->length = (uint32_t) sz;
-  data->value = ddsrt_memdup (value, sz);
+  data->value = value ? ddsrt_memdup (value, sz) : NULL;
 }

 static bool dds_qos_data_copy_out (const ddsi_octetseq_t *data, void **value, size_t *sz)
--- a/src/core/ddsc/src/dds_whc.c
+++ b/src/core/ddsc/src/dds_whc.c
@ -60,11 +60,7 @@ struct whc_idxnode {
  seqno_t prune_seq;
  struct ddsi_tkmap_instance *tk;
  uint32_t headidx;
-#if __STDC_VERSION__ >= 199901L
  struct whc_node *hist[];
-#else
-  struct whc_node *hist[1];
-#endif
 };

 #if USE_EHH
--- a/src/core/ddsc/tests/dispose.c
+++ b/src/core/ddsc/tests/dispose.c
@ -560,7 +560,8 @@ CU_Theory((dds_entity_t *writer), ddsc_dispose, non_writers, .init=disposing_ini
 {
    dds_return_t ret;
    DDSRT_WARNING_MSVC_OFF(6387); /* Disable SAL warning on intentional misuse of the API */
-    ret = dds_dispose(*writer, NULL);
+    /* pass a non-null pointer that'll trigger a crash if it is read */
+    ret = dds_dispose(*writer, (void *) 1);
    DDSRT_WARNING_MSVC_ON(6387);
    CU_ASSERT_EQUAL_FATAL(ret, DDS_RETCODE_ILLEGAL_OPERATION);
 }
@ -714,7 +715,8 @@ CU_Theory((dds_entity_t *writer), ddsc_dispose_ts, non_writers, .init=disposing_
 {
    dds_return_t ret;
    DDSRT_WARNING_MSVC_OFF(6387); /* Disable SAL warning on intentional misuse of the API */
-    ret = dds_dispose_ts(*writer, NULL, g_present);
+    /* pass a non-null pointer that'll trigger a crash if it is read */
+    ret = dds_dispose_ts(*writer, (void *) 1, g_present);
    DDSRT_WARNING_MSVC_ON(6387);
    CU_ASSERT_EQUAL_FATAL(ret, DDS_RETCODE_ILLEGAL_OPERATION);
 }