Fix issues reported by Coverity

Danielius1922 · Danielius1922 · commit d58c81552d34 · 2025-06-06T13:21:40.000+02:00
Fix issue 525174: Read from pointer after free in oc_cloud_deregister.c
Fix issue 525173: Read from pointer after free in oc_event_callback.c
Fix issue 525172: Read from pointer after free in oc_oscore_engine.c
diff --git a/api/cloud/oc_cloud_deregister.c b/api/cloud/oc_cloud_deregister.c
@@ -229,8 +229,8 @@ cloud_deregister_refreshed_token_async(void *data)
   if (oc_cloud_check_accesstoken_for_deregister(p->ctx)) {
     if (cloud_deregister_by_request(p, p->timeout, true) != 0) {
       OC_CLOUD_ERR("Failed to deregister from cloud");
-      oc_cloud_api_free_param(p);
       cloud_context_clear(p->ctx);
+      oc_cloud_api_free_param(p);
     }
     return OC_EVENT_DONE;
   }
@@ -239,8 +239,8 @@ cloud_deregister_refreshed_token_async(void *data)
   if (oc_cloud_do_login(p->ctx, cloud_deregister_try_logged_in, p,
                         p->timeout) != 0) {
     OC_CLOUD_ERR("Failed to login to cloud for deregister");
-    oc_cloud_api_free_param(p);
     cloud_context_clear(p->ctx);
+    oc_cloud_api_free_param(p);
     return OC_EVENT_DONE;
   }
   return OC_EVENT_DONE;
diff --git a/api/oc_event_callback.c b/api/oc_event_callback.c
@@ -198,13 +198,13 @@ event_callbacks_poll_timers(oc_list_t list, oc_memb_t *cb_pool)
 {
   oc_event_callback_t *event_cb = (oc_event_callback_t *)oc_list_head(list);
   while (event_cb != NULL) {
-    oc_event_callback_t *next = event_cb->next;
     if (!oc_etimer_expired(&event_cb->timer)) {
-      event_cb = next;
+      event_cb = event_cb->next;
       continue;
     }
     g_currently_processed_event_cb = event_cb;
     g_currently_processed_event_cb_delete = false;
+    g_currently_processed_event_on_delete = NULL;
     if ((event_cb->callback(event_cb->data) == OC_EVENT_DONE) ||
         g_currently_processed_event_cb_delete) {
       oc_list_remove(list, event_cb);
diff --git a/api/oc_message.c b/api/oc_message.c
@@ -192,11 +192,29 @@ oc_message_add_ref(oc_message_t *message)
   }
 }
 
+uint8_t
+oc_message_refcount(const oc_message_t *message)
+{
+  return OC_ATOMIC_LOAD8(message->ref_count);
+}
+
 void
-oc_message_unref(oc_message_t *message)
+oc_message_deallocate(oc_message_t *message)
+{
+  oc_memb_t *pool = message->pool;
+  message_deallocate(message, pool);
+  OC_TRACE("buffer: deallocated message(%p) from pool(%p)", (void *)message,
+           (void *)pool);
+#ifdef OC_HAS_FEATURE_ALLOCATOR_MUTEX
+  OC_TRACE("buffer: freed TX/RX buffer; num free: %d", oc_memb_numfree(pool));
+#endif /* OC_HAS_FEATURE_ALLOCATOR_MUTEX*/
+}
+
+bool
+oc_message_unref2(oc_message_t *message)
 {
   if (message == NULL) {
-    return;
+    return false;
   }
   bool dealloc = false;
   uint8_t count = OC_ATOMIC_LOAD8(message->ref_count);
@@ -214,16 +232,16 @@ oc_message_unref(oc_message_t *message)
   if (!dealloc) {
     OC_TRACE("buffer: message(%p) unreferenced, ref_count=%d", (void *)message,
              (int)new_count);
-    return;
+    return false;
   }
+  oc_message_deallocate(message);
+  return true;
+}
 
-  oc_memb_t *pool = message->pool;
-  message_deallocate(message, pool);
-  OC_TRACE("buffer: deallocated message(%p) from pool(%p)", (void *)message,
-           (void *)pool);
-#ifdef OC_HAS_FEATURE_ALLOCATOR_MUTEX
-  OC_TRACE("buffer: freed TX/RX buffer; num free: %d", oc_memb_numfree(pool));
-#endif /* OC_HAS_FEATURE_ALLOCATOR_MUTEX*/
+void
+oc_message_unref(oc_message_t *message)
+{
+  oc_message_unref2(message);
 }
 
 #ifdef OC_HAS_FEATURE_MESSAGE_DYNAMIC_BUFFER
diff --git a/api/oc_message_internal.h b/api/oc_message_internal.h
@@ -22,6 +22,7 @@
 #include "port/oc_connectivity.h"
 #include "util/oc_features.h"
 
+#include <stdbool.h>
 #include <stddef.h>
 
 #ifdef __cplusplus
@@ -68,6 +69,16 @@ oc_message_t *oc_message_allocate_outgoing_with_size(size_t size);
  */
 size_t oc_message_max_buffer_size(void);
 
+/** @brief Get the current reference count */
+uint8_t oc_message_refcount(const oc_message_t *message) OC_NONNULL();
+
+/** @brief Decrease reference count and return true if message was
+ * deallocated.*/
+bool oc_message_unref2(oc_message_t *message);
+
+/** @brief Deallocate the message */
+void oc_message_deallocate(oc_message_t *message) OC_NONNULL();
+
 /**
  * @brief Get size of the message buffer
  *
diff --git a/messaging/coap/engine.c b/messaging/coap/engine.c
@@ -158,8 +158,8 @@ coap_send_empty_response(coap_message_type_t type, uint16_t mid,
 
   message->length = len;
   coap_send_message(message);
-  if (message->ref_count == 0) {
-    oc_message_unref(message);
+  if (oc_message_refcount(message) == 0) {
+    oc_message_deallocate(message);
   }
 }
 
diff --git a/messaging/coap/separate.c b/messaging/coap/separate.c
@@ -154,8 +154,8 @@ coap_separate_accept(const coap_packet_t *request,
     memcpy(&message->endpoint, endpoint, sizeof(oc_endpoint_t));
     coap_send_message(message);
 
-    if (message->ref_count == 0) {
-      oc_message_unref(message);
+    if (oc_message_refcount(message) == 0) {
+      oc_message_deallocate(message);
     }
   }
 
diff --git a/security/oc_oscore_engine.c b/security/oc_oscore_engine.c

Original file line number	Diff line number	Diff line change
`@@ -229,8 +229,8 @@ cloud_deregister_refreshed_token_async(void *data)`
`229`	`229`	`if (oc_cloud_check_accesstoken_for_deregister(p->ctx)) {`
`230`	`230`	`if (cloud_deregister_by_request(p, p->timeout, true) != 0) {`
`231`	`231`	`OC_CLOUD_ERR("Failed to deregister from cloud");`
`232`		`- oc_cloud_api_free_param(p);`
`233`	`232`	`cloud_context_clear(p->ctx);`
	`233`	`+ oc_cloud_api_free_param(p);`
`234`	`234`	`}`
`235`	`235`	`return OC_EVENT_DONE;`
`236`	`236`	`}`
`@@ -239,8 +239,8 @@ cloud_deregister_refreshed_token_async(void *data)`
`239`	`239`	`if (oc_cloud_do_login(p->ctx, cloud_deregister_try_logged_in, p,`
`240`	`240`	`p->timeout) != 0) {`
`241`	`241`	`OC_CLOUD_ERR("Failed to login to cloud for deregister");`
`242`		`- oc_cloud_api_free_param(p);`
`243`	`242`	`cloud_context_clear(p->ctx);`
	`243`	`+ oc_cloud_api_free_param(p);`
`244`	`244`	`return OC_EVENT_DONE;`
`245`	`245`	`}`
`246`	`246`	`return OC_EVENT_DONE;`
Original file line number	Diff line number	Diff line change
`@@ -158,8 +158,8 @@ coap_send_empty_response(coap_message_type_t type, uint16_t mid,`
`158`	`158`
`159`	`159`	`message->length = len;`
`160`	`160`	`coap_send_message(message);`
`161`		`- if (message->ref_count == 0) {`
`162`		`- oc_message_unref(message);`
	`161`	`+ if (oc_message_refcount(message) == 0) {`
	`162`	`+ oc_message_deallocate(message);`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`
Original file line number	Diff line number	Diff line change
`@@ -154,8 +154,8 @@ coap_separate_accept(const coap_packet_t *request,`
`154`	`154`	`memcpy(&message->endpoint, endpoint, sizeof(oc_endpoint_t));`
`155`	`155`	`coap_send_message(message);`
`156`	`156`
`157`		`- if (message->ref_count == 0) {`
`158`		`- oc_message_unref(message);`
	`157`	`+ if (oc_message_refcount(message) == 0) {`
	`158`	`+ oc_message_deallocate(message);`
`159`	`159`	`}`
`160`	`160`	`}`
`161`	`161`