Client API degraded use case: invalid pointer dereference when providing an uninitialized message request
Description
If a message request is provided without being initialized first to SOPC_ToolkitClient_AsyncSendDiscoveryRequest, an invalid dereference occurs in the Toolkit:
Debug trace:
p *(OpcUa_GetEndpointsRequest *)params
$1 = {encodeableType = 0x0, EndpointUrl = {Length = 24, DoNotClear = true, Data = 0x4c68df "opc.tcp://localhost:4841"}, NoOfLocaleIds = 0, LocaleIds = 0x0, NoOfProfileUris = 0, ProfileUris = 0x0}
(rr) bt
#0 0x0000000000466c53 in util_message__get_message_type (encType=0x0, message__msg_type=0x7f03735bbdfc) at csrc/services/b2c/util_b2c.c:382
#1 0x000000000047d112 in message_out_bs__get_msg_out_type (message_out_bs__msg=0x12786c0, message_out_bs__msgtype=0x7f03735bbdfc)
at csrc/services/b2c/message_out_bs.c:269
#2 0x000000000047d14d in message_out_bs__is_valid_app_msg_out (message_out_bs__msg=0x12786c0, message_out_bs__bres=0x7f03735bbe4f)
at csrc/services/b2c/message_out_bs.c:280
#3 0x0000000000477d01 in io_dispatch_mgr__client_send_discovery_request (io_dispatch_mgr__channel_config_idx=1, io_dispatch_mgr__req_msg=0x12786c0, io_dispatch_mgr__app_context=19364944,
io_dispatch_mgr__ret=0x7f03735bbe94) at csrc/services/bgenc/io_dispatch_mgr.c:523
#4 0x0000000000468ec8 in SOPC_ServicesEventDispatcher (scEvent=18, id=1, params=0x12786c0, auxParam=19364944) at csrc/services/sopc_services_api.c:342
#5 0x000000000046ab52 in SOPC_ThreadStartEventDispatcherManager (pEventMgr=0x12775c0) at csrc/helpers/sopc_event_dispatcher_manager.c:61
#6 0x00007f0375c9d184 in start_thread (arg=0x7f03735bc700) at pthread_create.c:312
Analysis
The B model should check the validity of the input message. It is the case but only for the message structure pointer which is guaranteed not to be NULL. It seems necessary to also check that the encodeableType is not NULL neither. Moreover the helper function to extract message type does not check for NULL pointer before dereference.
Note: all messages structures shall be initialized by application before providing it using either the specialized function OpcUa_*_Initialize
function or using the SOPC_Encodeable_Create
helper which also initializes the provided message structure.
Bugfix
- Message validity check operation used by B model shall also check encodeableType field is not NULL when provided message structure pointer is not NULL
- Helper function to extract message type shall check pointer is not NULL since there is no direct precondition defined in B model on this function