Fix segfault-prone code paths across core and apps

Marcel Hecko · Marcel Hecko · commit c0a0c9918f9a · 2026-02-25T01:21:20.000+01:00
- AmArg::pop_back: replace undefined erase(end()) with pop_back()
- trans_table: replace assert-only dynamic_cast guards with runtime
  NULL checks and error returns (asserts compiled out in release)
- SBC: add args.size() bounds checks before accessing AmArg elements
  in postControlCmd, reloadProfile, loadProfile, setActiveProfile,
  setRegexMap, loadCallcontrolModules
- sems.cpp: rewrite signal handler to only set sig_atomic_t flags;
  move unsafe work (mutex, event broadcast) to process_pending_signals()
  called from the SIP event loop
- AmConferenceChannel: remove dangerous delete-this in on_flushed()
  callback; object lifetime is managed by owning AmConferenceChannel
- ip_util: fix uninitialized str[0] read in am_inet_ntop_sip IPv6 path;
  set '[' before inet_ntop and add buffer overflow guards
- AmSmtpClient: check socket() return before connect()
- AmEventDispatcher::broadcast: collect queue pointers under lock then
  post events outside lock to prevent iterator invalidation
- DSMChartReader::importModule: add missing dlclose() on error paths
- AmUtils/arg_conversion: sprintf -&gt; snprintf to prevent buffer overflows
- log.cpp: check malloc return in __lds before using funcname pointer
- tcp_trsp: guard memmove against integer underflow when addr_shift
  exceeds input_len
- RpcPeer: check socket() return before fcntl/connect
diff --git a/apps/dsm/DSMChartReader.cpp b/apps/dsm/DSMChartReader.cpp
@@ -243,13 +243,15 @@ bool DSMChartReader::importModule(const string& mod_cmd, const string& mod_path)
   SCFactoryCreate fc = NULL;
   if ((fc = (SCFactoryCreate)dlsym(h_dl,SC_FACTORY_EXPORT_STR)) == NULL) {
     ERROR("invalid SC module '%s' (SC_EXPORT missing?)\n", fname.c_str());
+    dlclose(h_dl);
     return false;
   }
-   
+
   DSMModule* mod = (DSMModule*)fc();
   if (!mod) {
-    ERROR("module '%s' did not return functions.\n", 
+    ERROR("module '%s' did not return functions.\n",
 	  fname.c_str());
+    dlclose(h_dl);
     return false;
   }
   mods.push_back(mod);
diff --git a/apps/jsonrpc/RpcPeer.cpp b/apps/jsonrpc/RpcPeer.cpp
@@ -94,6 +94,10 @@ int JsonrpcNetstringsConnection::connect(const string& host, int port,
   // }
 
   fd = socket(PF_INET, SOCK_STREAM, 0);
+  if(fd < 0) {
+    res_str = "socket() failed: " + string(strerror(errno));
+    return 300;
+  }
   sa.sin_port = htons(port);
   sa.sin_family = PF_INET;
 
diff --git a/apps/sbc/SBC.cpp b/apps/sbc/SBC.cpp
@@ -542,6 +542,11 @@ void SBCFactory::reloadProfiles(const AmArg& args, AmArg& ret) {
 }
 
 void SBCFactory::reloadProfile(const AmArg& args, AmArg& ret) {
+  if (!args.size()) {
+    ret.push(400);
+    ret.push("Parameters error: missing arguments");
+    return;
+  }
   bool failed = false;
   string res = "OK";
   AmArg p;
@@ -583,7 +588,7 @@ void SBCFactory::reloadProfile(const AmArg& args, AmArg& ret) {
 }
 
 void SBCFactory::loadProfile(const AmArg& args, AmArg& ret) {
-  if (!args[0].hasMember("name") || !args[0].hasMember("path")) {
+  if (!args.size() || !args[0].hasMember("name") || !args[0].hasMember("path")) {
     ret.push(400);
     ret.push("Parameters error: expected ['name': profile_name] "
 	     "and ['path': profile_path]");
@@ -623,7 +628,7 @@ void SBCFactory::getActiveProfile(const AmArg& args, AmArg& ret) {
 }
 
 void SBCFactory::setActiveProfile(const AmArg& args, AmArg& ret) {
-  if (!args[0].hasMember("active_profile")) {
+  if (!args.size() || !args[0].hasMember("active_profile")) {
     ret.push(400);
     ret.push("Parameters error: expected ['active_profile': <active_profile list>] ");
     return;
@@ -651,7 +656,7 @@ void SBCFactory::getRegexMapNames(const AmArg& args, AmArg& ret) {
 }
 
 void SBCFactory::setRegexMap(const AmArg& args, AmArg& ret) {
-  if (!args[0].hasMember("name") || !args[0].hasMember("file") ||
+  if (!args.size() || !args[0].hasMember("name") || !args[0].hasMember("file") ||
       !isArgCStr(args[0]["name"]) || !isArgCStr(args[0]["file"])) {
     ret.push(400);
     ret.push("Parameters error: expected ['name': <name>, 'file': <file name>]");
@@ -673,6 +678,11 @@ void SBCFactory::setRegexMap(const AmArg& args, AmArg& ret) {
 }
 
 void SBCFactory::loadCallcontrolModules(const AmArg& args, AmArg& ret) {
+  if (!args.size()) {
+    ret.push(400);
+    ret.push("Parameters error: missing arguments");
+    return;
+  }
   string load_cc_plugins = args[0].asCStr();
   if (!load_cc_plugins.empty()) {
     INFO("loading call control plugins '%s' from '%s'\n",
@@ -691,6 +701,11 @@ void SBCFactory::loadCallcontrolModules(const AmArg& args, AmArg& ret) {
 }
 
 void SBCFactory::postControlCmd(const AmArg& args, AmArg& ret) {
+  if (args.size()<2) {
+    ret.push(400);
+    ret.push("Parameters error: expected at least cmd and ltag");
+    return;
+  }
   SBCControlEvent* evt;
   if (args.size()<3) {
     evt = new SBCControlEvent(args[1].asCStr());
diff --git a/apps/sbc/arg_conversion.cpp b/apps/sbc/arg_conversion.cpp
@@ -17,23 +17,23 @@ static string arg2string(const AmArg &a)
   switch (a.getType()) {
     case AmArg::CStr:
       p = a.asCStr();
-      sprintf(tmp, "%c%zd/", CSTR_LABEL, strlen(p));
+      snprintf(tmp, sizeof(tmp), "%c%zd/", CSTR_LABEL, strlen(p));
       s = tmp;
       s += p;
       return s;
 
     case AmArg::Array:
-      sprintf(tmp, "%c%zd/", ARRAY_LABEL, a.size());
+      snprintf(tmp, sizeof(tmp), "%c%zd/", ARRAY_LABEL, a.size());
       s = tmp;
       for (size_t i = 0; i < a.size(); i ++) s += arg2string(a[i]);
       return s;
 
     case AmArg::Struct:
-      sprintf(tmp, "%c%zd/", STRUCT_LABEL, a.size());
+      snprintf(tmp, sizeof(tmp), "%c%zd/", STRUCT_LABEL, a.size());
       s = tmp;
       for (AmArg::ValueStruct::const_iterator it = a.asStruct()->begin();
            it != a.asStruct()->end(); ++it) {
-        sprintf(tmp, "%zd/", it->first.size());
+        snprintf(tmp, sizeof(tmp), "%zd/", it->first.size());
         s += tmp;
         s += it->first;
         s += arg2string(it->second);
diff --git a/apps/voicemail/AmSmtpClient.cpp b/apps/voicemail/AmSmtpClient.cpp
@@ -95,8 +95,13 @@ bool AmSmtpClient::connect(const string& _server_ip, unsigned short _server_port
   }
 
   sd = socket(PF_INET, SOCK_STREAM, 0);
+  if(sd < 0) {
+    ERROR("socket() failed: %s\n",strerror(errno));
+    return false;
+  }
   if(::connect(sd,(struct sockaddr *)&addr,sizeof(addr)) == -1) {
     ERROR("%s\n",strerror(errno));
+    close();
     return false;
   }
     
diff --git a/core/AmArg.cpp b/core/AmArg.cpp
@@ -202,7 +202,7 @@ void AmArg::pop_back(AmArg &a) {
     return;
   }
   a = v_array->back();
-  v_array->erase(v_array->end());
+  v_array->pop_back();
 }
 
 void AmArg::pop_back() {
diff --git a/core/AmConferenceChannel.cpp b/core/AmConferenceChannel.cpp
@@ -121,6 +121,8 @@ int ChannelWritingFile::write_to_file(const void* buf, unsigned int len) {
 }
 
 void ChannelWritingFile::on_flushed() {
-  DBG("file on_flushed, deleting self\n");
-  delete this; // uh!
+  DBG("file on_flushed\n");
+  // Note: this object is owned by AmConferenceChannel and will be
+  // cleaned up when the channel is destroyed. Do not delete here
+  // as the parent still holds a raw pointer to us.
 }
diff --git a/core/AmEventDispatcher.cpp b/core/AmEventDispatcher.cpp
@@ -204,16 +204,18 @@ bool AmEventDispatcher::broadcast(AmEvent* ev)
     for (size_t i=0;i<EVENT_DISPATCHER_BUCKETS;i++) {
       queues_mut[i].lock();
 
-      EvQueueMapIter it = queues[i].begin(); 
-      while (it != queues[i].end()) {
-	EvQueueMapIter this_evq = it;
-	it++;
-	queues_mut[i].unlock();
-	this_evq->second.q->postEvent(ev->clone());
-	queues_mut[i].lock();
-	posted = true;
+      std::vector<AmEventQueueInterface*> bucket_queues;
+      for (EvQueueMapIter it = queues[i].begin();
+	   it != queues[i].end(); ++it) {
+	bucket_queues.push_back(it->second.q);
       }
+
       queues_mut[i].unlock();
+
+      for (size_t j=0;j<bucket_queues.size();j++) {
+	bucket_queues[j]->postEvent(ev->clone());
+	posted = true;
+      }
     }
 
     delete ev;
diff --git a/core/AmUtils.cpp b/core/AmUtils.cpp
@@ -164,7 +164,7 @@ string long2hex(unsigned long val)
 /** Convert a double to a string. (from jsoncpp) */
 string double2str(double val) {
   char buffer[32];
-  sprintf(buffer, "%#.16g", val); 
+  snprintf(buffer, sizeof(buffer), "%#.16g", val);
   char* ch = buffer + strlen(buffer) - 1;
   if (*ch != '0') return buffer; // nothing to truncate, so save time
   while(ch > buffer && *ch == '0'){
@@ -523,8 +523,8 @@ std::string URL_encode(const std::string &s)
         else
         {
             escaped.append("%");
-            char buf[3];
-            sprintf(buf, "%.2X", (unsigned char)s[i]);
+            char buf[4];
+            snprintf(buf, sizeof(buf), "%.2X", (unsigned char)s[i]);
             escaped.append(buf);
         }
     }
diff --git a/core/SipCtrlInterface.cpp b/core/SipCtrlInterface.cpp
@@ -28,6 +28,7 @@
  */
 #include "SipCtrlInterface.h"
 
+#include "sems.h"
 #include "AmUtils.h"
 #include "AmSipMsg.h"
 #include "AmMimeBody.h"
@@ -400,7 +401,8 @@ int _SipCtrlInterface::run()
     }
 
     while (!stopped.get()) {
-        stopped.wait_for();
+        stopped.wait_for_to(500); // wake periodically to process signals
+	process_pending_signals();
     }
 
     DBG("SIP control interface ending\n");
diff --git a/core/log.cpp b/core/log.cpp
@@ -243,6 +243,10 @@ void __lds(int ll, unsigned int max_frames)
   // allocate string which will be filled with the demangled function name
   size_t funcnamesize = 256;
   char* funcname = (char*)malloc(funcnamesize);
+  if (!funcname) {
+    free(symbollist);
+    return;
+  }
 
   // iterate over the returned symbol lines. skip the first, it is the
   // address of this function.
diff --git a/core/sems.cpp b/core/sems.cpp
@@ -235,14 +235,22 @@ static bool apply_args(std::map<char,string>& args)
 /** Flag to mark the shutdown is in progress (in the main process) */
 static AmCondition<bool> is_shutting_down(false);
 
+/* Signal-safe flags - only written by signal handler, read by main loop */
+static volatile sig_atomic_t sig_usr1_received;
+static volatile sig_atomic_t sig_usr2_received;
+static volatile sig_atomic_t sig_hup_received;
+static volatile sig_atomic_t sig_shutdown_received;
+static volatile sig_atomic_t sig_unclean_shutdown;
+
 static void signal_handler(int sig)
 {
-  if (sig == SIGUSR1 || sig == SIGUSR2) {
-    DBG("brodcasting User event to %u sessions...\n",
-	AmSession::getSessionNum());
-    AmEventDispatcher::instance()->
-      broadcast(new AmSystemEvent(sig == SIGUSR1? 
-				  AmSystemEvent::User1 : AmSystemEvent::User2));
+  if (sig == SIGUSR1) {
+    sig_usr1_received = 1;
+    return;
+  }
+
+  if (sig == SIGUSR2) {
+    sig_usr2_received = 1;
     return;
   }
 
@@ -254,29 +262,58 @@ static void signal_handler(int sig)
     return;
   }
 
-  WARN("Signal %s (%d) received.\n", strsignal(sig), sig);
-
   if (sig == SIGHUP) {
-    AmSessionContainer::instance()->broadcastShutdown();
+    sig_hup_received = 1;
     return;
   }
 
   if (sig == SIGTERM) {
-    AmSessionContainer::instance()->enableUncleanShutdown();
+    sig_unclean_shutdown = 1;
   }
 
   if (main_pid == getpid()) {
+    sig_shutdown_received = 1;
+  }
+  else {
+    _exit(0);
+  }
+}
+
+/** Process deferred signals from the signal handler (call from main loop). */
+void process_pending_signals()
+{
+  if (sig_usr1_received) {
+    sig_usr1_received = 0;
+    DBG("broadcasting User1 event to %u sessions...\n",
+	AmSession::getSessionNum());
+    AmEventDispatcher::instance()->
+      broadcast(new AmSystemEvent(AmSystemEvent::User1));
+  }
+  if (sig_usr2_received) {
+    sig_usr2_received = 0;
+    DBG("broadcasting User2 event to %u sessions...\n",
+	AmSession::getSessionNum());
+    AmEventDispatcher::instance()->
+      broadcast(new AmSystemEvent(AmSystemEvent::User2));
+  }
+  if (sig_hup_received) {
+    sig_hup_received = 0;
+    WARN("SIGHUP received.\n");
+    AmSessionContainer::instance()->broadcastShutdown();
+  }
+  if (sig_unclean_shutdown) {
+    sig_unclean_shutdown = 0;
+    WARN("SIGTERM received.\n");
+    AmSessionContainer::instance()->enableUncleanShutdown();
+  }
+  if (sig_shutdown_received) {
+    sig_shutdown_received = 0;
     if(!is_shutting_down.get()) {
       is_shutting_down.set(true);
-
       INFO("Stopping SIP stack after signal\n");
       sip_ctrl.stop();
     }
   }
-  else {
-    /* exit other processes immediately */
-    exit(0);
-  }
 }
 
 int set_sighandler(void (*handler)(int))
diff --git a/core/sems.h b/core/sems.h
@@ -74,4 +74,7 @@
 
 extern const char* progname;
 
+/** Process deferred signals from the signal handler (call from main loop). */
+void process_pending_signals();
+
 #endif
diff --git a/core/sip/ip_util.cpp b/core/sip/ip_util.cpp
@@ -95,12 +95,20 @@ const char* am_inet_ntop_sip(const sockaddr_storage* addr, char* str, size_t siz
     }
   }
   else {
+    if(size < 4) {
+      ERROR("Buffer too small for IPv6 address\n");
+      return NULL;
+    }
+    str[0] = '[';
     if(!inet_ntop(AF_INET6,&sin6->sin6_addr,str+1,size-2)) {
       ERROR("Could not convert IPv6 address to string: %s",strerror(errno));
       return NULL;
     }
     size_t str_len = strlen(str);
-    str[0] = '[';
+    if(str_len + 2 > size) {
+      ERROR("Buffer too small for bracketed IPv6 address\n");
+      return NULL;
+    }
     str[str_len] = ']';
     str[str_len+1] = '\0';
   }
diff --git a/core/sip/tcp_trsp.cpp b/core/sip/tcp_trsp.cpp
@@ -372,6 +372,11 @@ int tcp_trsp_socket::parse_input()
 	if(pst.orig_buf > (char*)input_buf) {
 
 	  int addr_shift = pst.orig_buf - (char*)input_buf;
+	  if(addr_shift < 0 || (unsigned int)addr_shift > input_len) {
+	    ERROR("parser state inconsistency: addr_shift=%d, input_len=%u\n",
+		  addr_shift, input_len);
+	    return -1;
+	  }
 	  memmove(input_buf, pst.orig_buf, input_len - addr_shift);
 
 	  pst.orig_buf = (char*)input_buf;
diff --git a/core/sip/trans_table.cpp b/core/sip/trans_table.cpp

Original file line number	Diff line number	Diff line change
`@@ -95,8 +95,13 @@ bool AmSmtpClient::connect(const string& _server_ip, unsigned short _server_port`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`sd = socket(PF_INET, SOCK_STREAM, 0);`
	`98`	`+ if(sd < 0) {`
	`99`	`+ ERROR("socket() failed: %s\n",strerror(errno));`
	`100`	`+ return false;`
	`101`	`+ }`
`98`	`102`	`if(::connect(sd,(struct sockaddr *)&addr,sizeof(addr)) == -1) {`
`99`	`103`	`ERROR("%s\n",strerror(errno));`
	`104`	`+ close();`
`100`	`105`	`return false;`
`101`	`106`	`}`
`102`	`107`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ void AmArg::pop_back(AmArg &a) {`
`202`	`202`	`return;`
`203`	`203`	`}`
`204`	`204`	`a = v_array->back();`
`205`		`- v_array->erase(v_array->end());`
	`205`	`+ v_array->pop_back();`
`206`	`206`	`}`
`207`	`207`
`208`	`208`	`void AmArg::pop_back() {`
Original file line number	Diff line number	Diff line change
`@@ -121,6 +121,8 @@ int ChannelWritingFile::write_to_file(const void* buf, unsigned int len) {`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`void ChannelWritingFile::on_flushed() {`
`124`		`- DBG("file on_flushed, deleting self\n");`
`125`		`- delete this; // uh!`
	`124`	`+ DBG("file on_flushed\n");`
	`125`	`+ // Note: this object is owned by AmConferenceChannel and will be`
	`126`	`+ // cleaned up when the channel is destroyed. Do not delete here`
	`127`	`+ // as the parent still holds a raw pointer to us.`
`126`	`128`	`}`
Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ string long2hex(unsigned long val)`
`164`	`164`	`/** Convert a double to a string. (from jsoncpp) */`
`165`	`165`	`string double2str(double val) {`
`166`	`166`	`char buffer[32];`
`167`		`- sprintf(buffer, "%#.16g", val);`
	`167`	`+ snprintf(buffer, sizeof(buffer), "%#.16g", val);`
`168`	`168`	`char* ch = buffer + strlen(buffer) - 1;`
`169`	`169`	`if (*ch != '0') return buffer; // nothing to truncate, so save time`
`170`	`170`	`while(ch > buffer && *ch == '0'){`
`@@ -523,8 +523,8 @@ std::string URL_encode(const std::string &s)`
`523`	`523`	`else`
`524`	`524`	`{`
`525`	`525`	`escaped.append("%");`
`526`		`- char buf[3];`
`527`		`- sprintf(buf, "%.2X", (unsigned char)s[i]);`
	`526`	`+ char buf[4];`
	`527`	`+ snprintf(buf, sizeof(buf), "%.2X", (unsigned char)s[i]);`
`528`	`528`	`escaped.append(buf);`
`529`	`529`	`}`
`530`	`530`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@`
`28`	`28`	`*/`
`29`	`29`	`#include "SipCtrlInterface.h"`
`30`	`30`
	`31`	`+#include "sems.h"`
`31`	`32`	`#include "AmUtils.h"`
`32`	`33`	`#include "AmSipMsg.h"`
`33`	`34`	`#include "AmMimeBody.h"`
`@@ -400,7 +401,8 @@ int _SipCtrlInterface::run()`
`400`	`401`	`}`
`401`	`402`
`402`	`403`	`while (!stopped.get()) {`
`403`		`- stopped.wait_for();`
	`404`	`+ stopped.wait_for_to(500); // wake periodically to process signals`
	`405`	`+ process_pending_signals();`
`404`	`406`	`}`
`405`	`407`
`406`	`408`	`DBG("SIP control interface ending\n");`