From 6eab23fba89afe6cc60220b7d04a5ca043060eb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pascal=20B=C3=BChler?= Date: Thu, 7 May 2026 15:04:14 +0200 Subject: [PATCH 1/2] cmake: improve sanitizer builds and CI coverage Enable ASan/UBSan for non-Windows CMake CI, fix standalone LSan/TSan option handling, and make the default Debug build type visible in the CMake cache. --- .github/workflows/cmake.yml | 13 ++++++++++++- CMakeLists.txt | 2 +- CMakePresets.json | 30 ++++++++++++++++++++++++++++++ cmake/ConfigSafeGuards.cmake | 8 +++++--- cmake/Sanitizer.cmake | 4 ++-- 5 files changed, 50 insertions(+), 7 deletions(-) create mode 100644 CMakePresets.json diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index e4aafd98a..9cf16b8ff 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -124,7 +124,18 @@ jobs: - name: Configure CMake working-directory: ${{github.workspace}}/build shell: bash - run: cmake $GITHUB_WORKSPACE -DLIBSRTP_TEST_APPS=ON ${{ matrix.cmake-crypto-enable}} ${{env.cmake-crypto-dir}} + run: | + sanitizer_flags="" + if [[ "${{ matrix.os }}" != "windows-latest" ]]; then + sanitizer_flags="-DENABLE_SANITIZE_ADDR=ON -DENABLE_SANITIZE_UNDEF=ON" + fi + + cmake $GITHUB_WORKSPACE \ + -DLIBSRTP_TEST_APPS=ON \ + -DCMAKE_BUILD_TYPE=Debug \ + $sanitizer_flags \ + ${{ matrix.cmake-crypto-enable}} \ + ${{env.cmake-crypto-dir}} - name: Build working-directory: ${{github.workspace}}/build diff --git a/CMakeLists.txt b/CMakeLists.txt index e3de65d28..008f66631 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -132,7 +132,7 @@ include_directories(${CONFIG_FILE_DIR}) configure_file(config_in_cmake.h ${CONFIG_FILE_DIR}/config.h) add_definitions(-DHAVE_CONFIG_H) -if(ENABLE_SANITIZE_ADDR OR ENABLE_SANITIZE_UNDEF) +if(ENABLE_SANITIZE_ADDR OR ENABLE_SANITIZE_UNDEF OR ENABLE_SANITIZE_LEAK OR ENABLE_SANITIZE_THREAD) include(Sanitizer) add_sanitizer_flags() endif() diff --git a/CMakePresets.json b/CMakePresets.json new file mode 100644 index 000000000..0a88e0bda --- /dev/null +++ b/CMakePresets.json @@ -0,0 +1,30 @@ +{ + "version": 3, + "configurePresets": [ + { + "name": "dev", + "displayName": "Developer with ASan/UBSan", + "description": "Debug build with AddressSanitizer/UndefinedBehaviorSanitizer enabled.", + "cacheVariables": { + "CMAKE_BUILD_TYPE": "Debug", + "ENABLE_SANITIZE_ADDR": "ON", + "ENABLE_SANITIZE_UNDEF": "ON" + } + } + ], + "buildPresets": [ + { + "name": "dev", + "configurePreset": "dev" + } + ], + "testPresets": [ + { + "name": "dev", + "configurePreset": "dev", + "output": { + "outputOnFailure": true + } + } + ] +} diff --git a/cmake/ConfigSafeGuards.cmake b/cmake/ConfigSafeGuards.cmake index fe7240f2e..224a74a34 100644 --- a/cmake/ConfigSafeGuards.cmake +++ b/cmake/ConfigSafeGuards.cmake @@ -4,7 +4,9 @@ if(${CMAKE_SOURCE_DIR} STREQUAL ${CMAKE_BINARY_DIR}) "In-source builds not allowed. Please make a build directory.") endif() -if(NOT CMAKE_BUILD_TYPE) - message(STATUS "No build type selected, default to Debug") - set(CMAKE_BUILD_TYPE "Debug") +if(NOT CMAKE_CONFIGURATION_TYPES AND NOT CMAKE_BUILD_TYPE) + message(STATUS "No build type selected, defaulting to Debug") + set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "Build type" FORCE) + set_property(CACHE CMAKE_BUILD_TYPE PROPERTY STRINGS + "Debug" "Release" "RelWithDebInfo" "MinSizeRel") endif() diff --git a/cmake/Sanitizer.cmake b/cmake/Sanitizer.cmake index bd300af0f..8906a934e 100644 --- a/cmake/Sanitizer.cmake +++ b/cmake/Sanitizer.cmake @@ -1,5 +1,5 @@ function(add_sanitizer_flags) - if(NOT ENABLE_SANITIZE_ADDR AND NOT ENABLE_SANITIZE_UNDEF) + if(NOT ENABLE_SANITIZE_ADDR AND NOT ENABLE_SANITIZE_UNDEF AND NOT ENABLE_SANITIZE_LEAK AND NOT ENABLE_SANITIZE_THREAD) return() endif() @@ -24,7 +24,7 @@ function(add_sanitizer_flags) if(ENABLE_SANITIZE_THREAD) if(ENABLE_SANITIZE_ADDR OR ENABLE_SANITIZE_LEAK) - message(WARNING "thread does not work with: address and leak") + message(FATAL_ERROR "sanitize=thread does not work with sanitize=address or sanitize=leak") endif() add_compile_options("-fsanitize=thread") add_link_options("-fsanitize=thread") From 27714e4f81ae1e2b0165ab9c55e0c82fafd98878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pascal=20B=C3=BChler?= Date: Thu, 7 May 2026 15:52:43 +0200 Subject: [PATCH 2/2] fix memory leak reported in icm mbedtls --- cmake/FindMbedTLS.cmake | 12 ++++++++---- crypto/cipher/aes_gcm_mbedtls.c | 1 + crypto/cipher/aes_icm_mbedtls.c | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake index a6e8a365e..4857cae03 100644 --- a/cmake/FindMbedTLS.cmake +++ b/cmake/FindMbedTLS.cmake @@ -1,8 +1,12 @@ -find_path(MBEDTLS_INCLUDE_DIRS mbedtls/ssl.h) +if (MBEDTLS_ROOT_DIR) + set(_MBEDTLS_ROOT_HINTS_AND_PATHS HINTS ${MBEDTLS_ROOT_DIR} PATH_SUFFIXES include lib NO_DEFAULT_PATH) +endif() + +find_path(MBEDTLS_INCLUDE_DIRS mbedtls/ssl.h ${_MBEDTLS_ROOT_HINTS_AND_PATHS}) -find_library(MBEDTLS_LIBRARY mbedtls) -find_library(MBEDX509_LIBRARY mbedx509) -find_library(MBEDCRYPTO_LIBRARY mbedcrypto) +find_library(MBEDTLS_LIBRARY mbedtls ${_MBEDTLS_ROOT_HINTS_AND_PATHS}) +find_library(MBEDX509_LIBRARY mbedx509 ${_MBEDTLS_ROOT_HINTS_AND_PATHS}) +find_library(MBEDCRYPTO_LIBRARY mbedcrypto ${_MBEDTLS_ROOT_HINTS_AND_PATHS}) set(MBEDTLS_LIBRARIES "${MBEDTLS_LIBRARY}" "${MBEDX509_LIBRARY}" "${MBEDCRYPTO_LIBRARY}") diff --git a/crypto/cipher/aes_gcm_mbedtls.c b/crypto/cipher/aes_gcm_mbedtls.c index 90614b7b4..e91f5197e 100644 --- a/crypto/cipher/aes_gcm_mbedtls.c +++ b/crypto/cipher/aes_gcm_mbedtls.c @@ -256,6 +256,7 @@ static srtp_err_status_t srtp_aes_gcm_mbedtls_dealloc(srtp_cipher_t *c) FUNC_ENTRY(); ctx = (srtp_aes_gcm_ctx_t *)c->state; if (ctx) { + psa_aead_abort(&(ctx->ctx->op)); psa_destroy_key(ctx->ctx->key_id); srtp_crypto_free(ctx->ctx); /* zeroize the key material */ diff --git a/crypto/cipher/aes_icm_mbedtls.c b/crypto/cipher/aes_icm_mbedtls.c index 789a0ff78..e2dd44607 100644 --- a/crypto/cipher/aes_icm_mbedtls.c +++ b/crypto/cipher/aes_icm_mbedtls.c @@ -288,6 +288,7 @@ static srtp_err_status_t srtp_aes_icm_mbedtls_dealloc(srtp_cipher_t *c) */ ctx = (srtp_aes_icm_ctx_t *)c->state; if (ctx != NULL) { + psa_cipher_abort(&(ctx->ctx->op)); psa_destroy_key(ctx->ctx->key_id); srtp_crypto_free(ctx->ctx); /* zeroize the key material */