jsonrpc, rtpengine, aaa_diameter, janus: fix cJSON NULL derefs and memory leaks#3850
Open
dondetir wants to merge 4 commits intoOpenSIPS:masterfrom
Open
jsonrpc, rtpengine, aaa_diameter, janus: fix cJSON NULL derefs and memory leaks#3850dondetir wants to merge 4 commits intoOpenSIPS:masterfrom
dondetir wants to merge 4 commits intoOpenSIPS:masterfrom
Conversation
cJSON_Print() can return NULL on allocation failure. The existing code passes the return value directly to strlen() without a NULL check, causing a crash on two separate code paths (error and result handling). Add NULL checks after both cJSON_Print() calls. Additionally, the cJSON tree allocated by cJSON_Parse() at the start of the function is never freed. Add cJSON_Delete(obj) to the cleanup path. Found during a systematic audit of cJSON return value handling across modules, following the janus leak fixes in commit f9fb3ea.
In rtpengine_raise_event(), cJSON_PrintUnformatted() can return NULL on allocation failure. The return value is passed directly to strlen() and then to cJSON_PurgeString(), both of which will crash on a NULL pointer. Add a NULL check before using the return value, and skip the parameter on failure. Found during a systematic audit of cJSON return value handling across modules, following the janus leak fixes in commit f9fb3ea.
cJSON_PrintUnformatted() can return NULL on allocation failure (using shm hooks). The return value is passed directly to init_str(), which calls strlen() on it, causing a crash. Replace the init_str() call with an explicit NULL check and manual assignment, following the existing error-handling pattern in the function (goto error, which properly cleans up via cJSON_Delete and cJSON_PurgeString). Found during a systematic audit of cJSON return value handling across modules, following the janus leak fixes in commit f9fb3ea.
The janus module uses cJSON_InitHooks() to route cJSON allocations through pkg_malloc. In populate_janus_handler_id(), four calls to cJSON_Print(request) are embedded directly in LM_ERR() format arguments. The pkg-allocated return values are never stored or freed, leaking ~100-500 bytes per error path hit. Store the cJSON_Print() result, use it in the log message, and free it afterward. Also handle the case where cJSON_Print() returns NULL. This follows up on the janus leak fixes in commit f9fb3ea, which addressed similar leaks in janus_raise_event(), handle_janus_json_request(), and janus_ipc_send_request() but missed populate_janus_handler_id().
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix NULL pointer dereferences and memory leaks caused by unchecked
cJSON_Print()/cJSON_PrintUnformatted()return values across four modules, found during a systematic audit following the janus leak fixes in commit f9fb3ea.Details
cJSON_Print()return values were not freed. A systematic audit of all cJSON usage across modules revealed the same class of issue in three additional modules, plus one remaining site in janus that was missed:jsonrpc (
jsonrpc_handle_cmd()) —cJSON_Print(aux)can return NULL on allocation failure. The return is passed directly tostrlen(), causing a crash. Two separate call sites affected. Additionally, thecJSON_Parse()result (obj) is never freed withcJSON_Delete(), leaking the entire parsed JSON tree on every JSON-RPC command.rtpengine (
rtpengine_raise_event()) —cJSON_PrintUnformatted(param)can return NULL. Bothstrlen()andcJSON_PurgeString()on the next lines would crash on NULL.aaa_diameter (
dm_receive_req()) —cJSON_PrintUnformatted(avps)is passed directly toinit_str(), which callsstrlen()internally, crashing on NULL. The module usescJSON_InitHooks(&shm_mem_hooks)so cJSON allocates from shared memory.janus (
populate_janus_handler_id()) — Four calls tocJSON_Print(request)are embedded directly inLM_ERR()format arguments. The pkg-allocated return values are never stored or freed, leaking ~100-500 bytes per error path hit. This was missed by the fix in f9fb3ea which addressed similar leaks in other janus functions.Solution
cJSON_Print()calls. AddedcJSON_Delete(obj)to the cleanup path to fix the object leak.strlen()/cJSON_PurgeString(). On failure, the parameter is skipped and the loop continues.init_str()call with explicit NULL check and manualstrassignment. On failure,goto errorfollows the existing cleanup pattern (cJSON_PurgeString+cJSON_Delete+cJSON_InitHooks(NULL)).cJSON_Print()result in a local variable, use it in the log message, then free it. Added NULL guards beforepkg_free()to match the pattern established in f9fb3ea.Compatibility
Closing Issues
N/A — found via code audit following f9fb3ea.