ODMA Incident Report

X000806: Undefended *NULL Assignment Operations

Last updated 2000-08-08-09:17 -0700 (pdt)

Category: Vulnerability - Warning Incident ID: X000806
Priority: 3 - Non-Critical Status: Confirmed 2000-08-07.
Documentation and Repair to be scheduled.
Component: ODMA32.dll and Odma.dll, all distributed versions up to 2.0.0
Repaired in: none
Related information:
X000801
Assigned To: Dennis E. Hamilton Reported By: 
Dennis E. Hamilton 2000-08-05
Date Opened: 2000-08-05 Date Closed: none

Summary:

An application that uses the ODMRegisterApp or ODMQueryInterface incorrectly can induce a crash in any version of the ODMA Connection Manager.  No direct damage occurs, but users will lose any work in progress and the DMS being used may have incomplete materials in its collection. 

There are no reported production incidents attributable to this particular defect.  It is documented as a warning for future trouble-shooting and for maintenance of Connection Manager implementations.

This condition is most likely to occur in development or maintenance of an ODMA-aware application.  The conditions necessary to provoke the crash are unlikely in well-behaved applications in production usage.

Analysis:

  1. The implementation of ODMRegisterApp assigns a provisional NULL result for its output, *pHandle, without validating pHandle first.  If pHandle is NULL, operation will fail, often with termination of the running application.
  2. The implementation of ODMQueryInterface assigns a provisional NULL result for its output, *ppvObj, without validating ppvObj first.  If ppvObj is NULL, operation will fail, usually with termination of the running application.

Actions:

  1. Identify and report those ODMA Connection Manager functions that make undefended assignments through pointers for results.  Completed: 2000-08-07.  
  2. Describe appropriate work-arounds and any safeguard techniques.
  3. Schedule correction in the next rebuild of ODMA Connection Manager implementations.

Please provide any relevant information and feedback to the ODMA Tech List or directly to the AIIM DMware Technical Coordinator.


created 2000-08-07-14:28 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 00-08-08 9:21 $
$$Revision: 4 $