[Debian-iot-maintainers] Bug#1001328: ulfius_url_{encode, decode} call malloc instad of o_malloc

Harald Welte laforge at gnumonks.org
Wed Dec 8 16:15:22 GMT 2021 

Package: libulfius2.7
Version: 2.7.6-1
Severity: important
Tags: patch upstream
X-Debbugs-Cc: Nicolas Mora <github at babelouest.org>

Ulfius has the capability of applications registering their own memory
allocation functions using o_set_alloc_funcs(), as described in API.md
at 
https://github.com/babelouest/ulfius/blob/master/API.md#memory-management

Applications such as osmo-remsim make use of this feature to introduce
libtalloc as a tool to help locating memory leaks.

However, from 2.6.0 up to 2.7.6 and current master, ulfius introduced
a bug which renders this feature unusable:  Some new code started to bypass
the application-provided malloc-functio but directly call libc-malloc
while passing that libc-malloc-allocated memory to the application-provided
free-function.  As every memory allocator expects to receive only memory it
has allocated to its free-function, this immediately crashes every application
with custom allocator functions.

The upstream bug report is at https://github.com/babelouest/ulfius/issues/206

The upstream pull request is at https://github.com/babelouest/ulfius/pull/207

Debian will need to patch/update the ulfius packages for bullseye + sid.
Debian buster is not affected, as it still ships ulfius 2.5.x which is prior
to introducing the bug.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_DIE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libulfius2.7 depends on:
ii  libc6            2.32-5
ii  libcurl3-gnutls  7.79.1-2
ii  libgnutls30      3.7.2-2
ii  libjansson4      2.13.1-1.1
ii  libmicrohttpd12  0.9.73-4
ii  liborcania2.2    2.2.1-1+b1
ii  libyder2.0       1.4.14-1
ii  zlib1g           1:1.2.11.dfsg-2

libulfius2.7 recommends no packages.

libulfius2.7 suggests no packages.

-- no debconf information
-------------- next part --------------
>From a2951c32475a79fccfaa06b7c3c36297c6f6cf5b Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge at osmocom.org>
Date: Wed, 8 Dec 2021 16:57:12 +0100
Subject: [PATCH] u_request: Don't use malloc, but always o_malloc

Allocating memory using malloc, but then free'ing it using o_free will
not work for anyone using a custom memory allocator.   The allocations
and free's must either both go to libc, or both via the custom
allocator; one cannot allocate one way and release another.

Closes: #206
---
 src/u_request.c | 2 +-
 src/ulfius.c    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/u_request.c b/src/u_request.c
index 385572b..8203c5e 100644
--- a/src/u_request.c
+++ b/src/u_request.c
@@ -143,7 +143,7 @@ static char from_hex(char ch) {
  */
 static char * url_decode(const char * str) {
   if (str != NULL) {
-    char * pstr = (char*)str, * buf = malloc(strlen(str) + 1), * pbuf = buf;
+    char * pstr = (char*)str, * buf = o_malloc(strlen(str) + 1), * pbuf = buf;
     while (* pstr) {
       if (* pstr == '%') {
         if (pstr[1] && pstr[2]) {
diff --git a/src/ulfius.c b/src/ulfius.c
index 0d7da36..8a0caa6 100644
--- a/src/ulfius.c
+++ b/src/ulfius.c
@@ -1842,7 +1842,7 @@ static char to_hex(char code) {
 char * ulfius_url_encode(const char * str) {
   char * pstr = (char*)str, * buf = NULL, * pbuf = NULL;
   if (str != NULL) {
-    buf = malloc(strlen(str) * 3 + 1);
+    buf = o_malloc(strlen(str) * 3 + 1);
     if (buf != NULL) {
       pbuf = buf;
       while (* pstr) {
@@ -1876,7 +1876,7 @@ char * ulfius_url_encode(const char * str) {
 char * ulfius_url_decode(const char * str) {
   char * pstr = (char*)str, * buf = NULL, * pbuf = NULL;
   if (str != NULL) {
-    buf = malloc(strlen(str) + 1);
+    buf = o_malloc(strlen(str) + 1);
     if (buf != NULL) {
       pbuf = buf;
       while (* pstr) {
-- 
2.34.1

More information about the Debian-iot-maintainers mailing list