From f590a3f64d9c0b80c3a41336e6fabbbff48868e5 Mon Sep 17 00:00:00 2001
From: Omar Kallel <omar.kallel@pivasoftware.com>
Date: Wed, 28 Sep 2022 10:42:46 +0100
Subject: [PATCH] Check NULL pointer before string and memory functions calls

---
 src/common.c              | 24 ++++++++++++++++++------
 src/config.c              | 12 ++++++++++--
 src/cwmp.c                |  4 ++--
 src/cwmp_du_state.c       | 16 +++++++++-------
 src/cwmp_uci.c            | 14 +++++++++-----
 src/cwmp_zlib.c           |  4 ++++
 src/datamodel_interface.c |  2 +-
 src/diagnostic.c          |  2 ++
 src/digauth.c             |  4 ++--
 src/download.c            |  3 ++-
 src/event.c               |  2 +-
 src/notifications.c       |  6 ++++--
 src/rpc.c                 | 35 ++++++++++++++++++++++++++---------
 src/subprocess.c          |  2 +-
 src/xml.c                 | 33 +++++++++++++++++++--------------
 15 files changed, 110 insertions(+), 53 deletions(-)

diff --git a/src/common.c b/src/common.c
index 0090e9d..e06c9be 100755
--- a/src/common.c
+++ b/src/common.c
@@ -135,6 +135,8 @@ void add_dm_parameter_to_list(struct list_head *head, char *param_name, char *pa
 	list_for_each (ilist, head) {
 		int cmp;
 		dm_parameter = list_entry(ilist, struct cwmp_dm_parameter, list);
+		if (dm_parameter->name == NULL)
+			continue;
 		cmp = strcmp(dm_parameter->name, param_name);
 		if (cmp == 0) {
 			if (param_val && strcmp(dm_parameter->value, param_val) != 0) {
@@ -163,11 +165,11 @@ void add_dm_parameter_to_list(struct list_head *head, char *param_name, char *pa
 void delete_dm_parameter_from_list(struct cwmp_dm_parameter *dm_parameter)
 {
 	list_del(&dm_parameter->list);
-	free(dm_parameter->name);
-	free(dm_parameter->value);
-	free(dm_parameter->type);
-	free(dm_parameter->access_list);
-	free(dm_parameter);
+	FREE(dm_parameter->name);
+	FREE(dm_parameter->value);
+	FREE(dm_parameter->type);
+	FREE(dm_parameter->access_list);
+	FREE(dm_parameter);
 }
 
 void cwmp_free_all_dm_parameter_list(struct list_head *list)
@@ -253,6 +255,10 @@ void get_firewall_zone_name_by_wan_iface(char *if_wan, char **zone_name)
 	struct uci_section *s;
 	char *network = NULL;
 
+	if (zone_name == NULL)
+		return;
+	if (if_wan == NULL)
+		if_wan = "wan";
 	cwmp_uci_foreach_sections("firewall", "zone", UCI_STANDARD_CONFIG, s)
 	{
 		cwmp_uci_get_value_by_section_string(s, "network", &network);
@@ -463,6 +469,8 @@ int cwmp_get_fault_code_by_string(char *fault_code)
 {
 	int i;
 
+	if (fault_code == NULL)
+		return FAULT_CPE_NO_FAULT;
 	for (i = 1; i < __FAULT_CPE_MAX; i++) {
 		if (strcmp(FAULT_CPE_ARRAY[i].CODE, fault_code) == 0)
 			break;
@@ -515,6 +523,8 @@ void *icwmp_realloc(void *n, size_t size)
 
 char *icwmp_strdup(const char *s)
 {
+	if (s == NULL)
+		return NULL;
 	size_t len = strlen(s) + 1;
 	void *new = icwmp_malloc(len);
 	if (new == NULL)
@@ -614,7 +624,7 @@ void icwmp_restart_services()
 
 		blob_buf_free(&b);
 
-		if (strcmp(list_services[i], "firewall") == 0) {
+		if (list_services[i] && strcmp(list_services[i], "firewall") == 0) {
 			g_firewall_restart = true;
 		}
 	}
@@ -793,6 +803,8 @@ bool is_obj_excluded(const char *object_name)
 {
 	unsigned int i = 0;
 
+	if (object_name == NULL)
+		return false;
 	for (i = 0; i < ARRAY_SIZE(Obj_Excluded); i++) {
 		if (strncmp(Obj_Excluded[i], object_name, strlen(Obj_Excluded[i])) == 0)
 			return true;
diff --git a/src/config.c b/src/config.c
index 8cd2879..6aa9e80 100755
--- a/src/config.c
+++ b/src/config.c
@@ -55,10 +55,16 @@ void get_dhcp_vend_info_cb(struct ubus_request *req, int type __attribute__((unu
 
 			if (tb[E_VENDOR_INFO]) {
 				char *info = blobmsg_get_string(tb[E_VENDOR_INFO]);
+				if (info == NULL) {
+					CWMP_LOG(WARNING, "config %s: info is null", __FUNCTION__);
+					continue;
+				}
 				int len = strlen(info) + 1;
 				*v_info = (char *)malloc(len);
-				if (*v_info == NULL)
-					return;
+				if (*v_info == NULL) {
+					CWMP_LOG(WARNING, "config %s: v_info is null", __FUNCTION__);
+					continue;
+				}
 
 				memset(*v_info, 0, len);
 				snprintf(*v_info, len, "%s", info);
@@ -286,6 +292,8 @@ int get_preinit_config()
 
 	uci_foreach_element(&pkg->sections, e) {
 		struct uci_section *s = uci_to_section(e);
+		if (s== NULL || s->type == NULL)
+			continue;
 		if (strcmp(s->type, "acs") == 0) {
 			config_get_acs_elements(s);
 		} else if (strcmp(s->type, "cpe") == 0) {
diff --git a/src/cwmp.c b/src/cwmp.c
index be70274..c7a7d9d 100644
--- a/src/cwmp.c
+++ b/src/cwmp.c
@@ -125,7 +125,7 @@ static void lookup_event_cb(struct ubus_context *ctx __attribute__((unused)),
 	struct blob_attr *attr;
 	const char *path;
 
-	if (strcmp(type, "ubus.object.add") != 0)
+	if (type && strcmp(type, "ubus.object.add") != 0)
 		return;
 
 	blobmsg_parse(&policy, 1, &attr, blob_data(msg), blob_len(msg));
@@ -133,7 +133,7 @@ static void lookup_event_cb(struct ubus_context *ctx __attribute__((unused)),
 		return;
 
 	path = blobmsg_data(attr);
-	if (strcmp(path, USP_OBJECT_NAME) == 0) {
+	if (path && strcmp(path, USP_OBJECT_NAME) == 0) {
 		g_usp_object_available = true;
 		uloop_end();
 	}
diff --git a/src/cwmp_du_state.c b/src/cwmp_du_state.c
index f554697..9422267 100644
--- a/src/cwmp_du_state.c
+++ b/src/cwmp_du_state.c
@@ -130,10 +130,10 @@ static char *get_software_module_object_eq(char *param1, char *val1, char *param
 	}
 
 	list_for_each_entry (param_value, sw_parameters, list) {
-		if (regexec(&regex1, param_value->name, 0, NULL, 0) == 0 && strcmp(param_value->value, val1) == 0)
+		if (regexec(&regex1, param_value->name, 0, NULL, 0) == 0 && param_value->value && strcmp(param_value->value, val1) == 0)
 			softwaremodule_filter_param = true;
 
-		if (param2 && regexec(&regex2, param_value->name, 0, NULL, 0) == 0 && strcmp(param_value->value, val2) == 0)
+		if (param2 && regexec(&regex2, param_value->name, 0, NULL, 0) == 0 && param_value->value && strcmp(param_value->value, val2) == 0)
 			softwaremodule_filter_param = true;
 
 		if (softwaremodule_filter_param == false)
@@ -158,16 +158,18 @@ static int get_deployment_unit_name_version(char *uuid, char **name, char **vers
 	snprintf(environment_param, sizeof(environment_param), "Device.SoftwareModules.DeploymentUnit.%s.ExecutionEnvRef", sw_by_uuid_instance);
 	struct cwmp_dm_parameter *param_value = NULL;
 	list_for_each_entry (param_value, &sw_parameters, list) {
+		if (param_value->name == NULL)
+			continue;
 		if (strcmp(param_value->name, name_param) == 0) {
-			*name = strdup(param_value->value);
+			*name = strdup(param_value->value) ? param_value->value : "";
 			continue;
 		}
 		if (strcmp(param_value->name, version_param) == 0) {
-			*version = strdup(param_value->value);
+			*version = strdup(param_value->value ? param_value->value : "");
 			continue;
 		}
 		if (strcmp(param_value->name, environment_param) == 0) {
-			*env = strdup(param_value->value);
+			*env = strdup(param_value->value ? param_value->value : "");
 			continue;
 		}
 	}
@@ -221,7 +223,7 @@ static char *get_exec_env_name(char *environment_path)
 	struct cwmp_dm_parameter *param_value = NULL;
 	snprintf(env_param, sizeof(env_param), "%sName", environment_path);
 	list_for_each_entry (param_value, &environment_list, list) {
-		if (strcmp(param_value->name, env_param) == 0) {
+		if (param_value->name && strcmp(param_value->name, env_param) == 0) {
 			env_name = strdup(param_value->value);
 			break;
 		}
@@ -233,7 +235,7 @@ static char *get_exec_env_name(char *environment_path)
 static int cwmp_launch_du_install(char *url, char *uuid, char *user, char *pass, char *env_name, int env_id, struct opresult **pchange_du_state_complete)
 {
 	int error = FAULT_CPE_NO_FAULT;
-	char *fault_code;
+	char *fault_code = NULL;
 
 	(*pchange_du_state_complete)->start_time = strdup(get_time(time(NULL)));
 	cwmp_du_install(url, uuid, user, pass, env_name, env_id, &fault_code);
diff --git a/src/cwmp_uci.c b/src/cwmp_uci.c
index 63a368f..2d4cce0 100644
--- a/src/cwmp_uci.c
+++ b/src/cwmp_uci.c
@@ -231,7 +231,7 @@ int cwmp_uci_get_value_by_section_string(struct uci_section *s, char *option, ch
 	uci_foreach_element(&s->options, e)
 	{
 		o = (uci_to_option(e));
-		if (!strcmp(o->e.name, option)) {
+		if (o && o->e.name && !strcmp(o->e.name, option)) {
 			if (o->type == UCI_TYPE_LIST) {
 				*value = cwmp_uci_list_to_string(&o->v.list, " ");
 			} else {
@@ -262,7 +262,7 @@ int cwmp_uci_get_value_by_section_list(struct uci_section *s, char *option, stru
 	uci_foreach_element(&s->options, e)
 	{
 		o = (uci_to_option(e));
-		if (strcmp(o->e.name, option) == 0) {
+		if (o && o->e.name && strcmp(o->e.name, option) == 0) {
 			switch (o->type) {
 			case UCI_TYPE_LIST:
 				*value = &o->v.list;
@@ -569,6 +569,8 @@ int cwmp_uci_add_section(char *package, char *stype, uci_config_paths uci_type ,
 struct uci_section* get_section_by_section_name(char *package, char *stype, char* sname, uci_config_paths uci_type)
 {
 	struct uci_section *s;
+	if (sname == NULL)
+		return NULL;
 	cwmp_uci_foreach_sections(package, stype, uci_type, s) {
 		if (strcmp(section_name(s), sname) == 0)
 			return s;
@@ -670,7 +672,7 @@ struct uci_section *cwmp_uci_walk_section(char *package, char *stype, void *arg1
 
 	while (&e->list != list_section) {
 		s = uci_to_section(e);
-		if (s && s->type && strcmp(s->type, stype) == 0) {
+		if (s && s->type && stype && strcmp(s->type, stype) == 0) {
 			switch (cmp) {
 			case CWMP_CMP_SECTION:
 				goto end;
@@ -678,14 +680,14 @@ struct uci_section *cwmp_uci_walk_section(char *package, char *stype, void *arg1
 				if (arg1 == NULL || arg2 == NULL)
 					break;
 				cwmp_uci_get_value_by_section_string(s, (char *)arg1, &value);
-				if (strcmp(value, (char *)arg2) == 0)
+				if (value && strcmp(value, (char *)arg2) == 0)
 					goto end;
 				break;
 			case CWMP_CMP_OPTION_CONTAINING:
 				if (arg1 == NULL || arg2 == NULL)
 					break;
 				cwmp_uci_get_value_by_section_string(s, (char *)arg1, &value);
-				if (strstr(value, (char *)arg2))
+				if (value && strstr(value, (char *)arg2))
 					goto end;
 				break;
 			case CWMP_CMP_OPTION_CONT_WORD:
@@ -704,6 +706,8 @@ struct uci_section *cwmp_uci_walk_section(char *package, char *stype, void *arg1
 				if (list_value != NULL) {
 					uci_foreach_element(list_value, m)
 					{
+						if (m == NULL || m->name == NULL)
+							continue;
 						if (strcmp(m->name, (char *)arg2) == 0)
 							goto end;
 					}
diff --git a/src/cwmp_zlib.c b/src/cwmp_zlib.c
index bb0a9bd..6e9bed6 100644
--- a/src/cwmp_zlib.c
+++ b/src/cwmp_zlib.c
@@ -50,6 +50,10 @@ static int strm_init(z_stream *strm, int type)
 /* Example text to print out. */
 int zlib_compress(char *message, unsigned char **zmsg, int *zlen, int type)
 {
+	if (message == NULL) {
+		CWMP_LOG(ERROR, "cwmp_zlib %s: message is null", __FUNCTION__);
+		return -1;
+	}
 #if 0 /*test*/
     static int testi = 1;
     char tests[50];
diff --git a/src/datamodel_interface.c b/src/datamodel_interface.c
index e43a7f3..956ecc7 100755
--- a/src/datamodel_interface.c
+++ b/src/datamodel_interface.c
@@ -225,7 +225,7 @@ void ubus_transaction_status_callback(struct ubus_request *req __attribute__((un
 	struct blob_attr *tb[2] = { NULL, NULL };
 	blobmsg_parse(p, 2, tb, blobmsg_data(msg), blobmsg_len(msg));
 	status_str = blobmsg_get_string(tb[0]);
-	if (strcmp(status_str, "on-going") == 0)
+	if (status_str && strcmp(status_str, "on-going") == 0)
 		*status = true;
 	else
 		*status = false;
diff --git a/src/diagnostic.c b/src/diagnostic.c
index 2aab12e..867d5c7 100644
--- a/src/diagnostic.c
+++ b/src/diagnostic.c
@@ -125,6 +125,8 @@ struct diagnostic_input nslookup_diagnostics_array[NSLKUP_NUMBER_INPUTS] = { //
 static bool set_specific_diagnostic_object_parameter_structure_value(struct diagnostic_input (*diagnostics_array)[], int number_inputs, char *parameter, char *value)
 {
 	int i;
+	if (parameter == NULL)
+		return false;
 	for (i = 0; i < number_inputs; i++) {
 		if (strcmp((*diagnostics_array)[i].parameter_name, parameter) == 0) {
 			FREE((*diagnostics_array)[i].value);
diff --git a/src/digauth.c b/src/digauth.c
index bc971b5..a92c547 100644
--- a/src/digauth.c
+++ b/src/digauth.c
@@ -430,13 +430,13 @@ int validate_http_digest_auth(const char *http_meth, const char *uri, const char
 {
 	get_value_from_header(hdr);
 
-	if (strcmp(param[E_USERNAME].value, usr) != 0)
+	if (usr && strcmp(param[E_USERNAME].value, usr) != 0)
 		return 0;
 
 	if (strlen(param[E_REALM].value) == 0)
 		return 0;
 
-	if (strcmp(param[E_REALM].value, rlm) != 0)
+	if (rlm && strcmp(param[E_REALM].value, rlm) != 0)
 		return 0;
 
 	if (strlen(param[E_CNONCE].value) == 0)
diff --git a/src/download.c b/src/download.c
index 0c33be2..ed62a05 100644
--- a/src/download.c
+++ b/src/download.c
@@ -258,7 +258,8 @@ void ubus_get_bank_status_callback(struct ubus_request *req, int type __attribut
 
 		if (blobmsg_get_u32(tb[1]) == (uint32_t)bank->bank_id) {
 			bank_found = true;
-			if (strcmp(blobmsg_get_string(tb[7]), "Available") == 0 || strcmp(blobmsg_get_string(tb[7]), "Active"))
+			char *status = blobmsg_get_string(tb[7]);
+			if (status && (strcmp(status, "Available") == 0 || strcmp(status, "Active") == 0))
 				bank->status = 1;
 			else
 				bank->status = 0;
diff --git a/src/event.c b/src/event.c
index d457f8e..24f6f85 100644
--- a/src/event.c
+++ b/src/event.c
@@ -349,7 +349,7 @@ void connection_request_ip_value_change(int version)
 		bkp_session_save();
 		return;
 	}
-	if (strcmp(bip, ip_value) != 0) {
+	if (ip_value && strcmp(bip, ip_value) != 0) {
 		struct event_container *event_container;
 		event_container = cwmp_add_event_container(EVENT_IDX_4VALUE_CHANGE, "");
 		if (event_container == NULL) {
diff --git a/src/notifications.c b/src/notifications.c
index f60f269..fe3a196 100644
--- a/src/notifications.c
+++ b/src/notifications.c
@@ -231,7 +231,7 @@ int get_parameter_leaf_notification_from_childs_list(char *parameter_name, struc
 	if (childs_list == NULL)
 		return -1;
 	list_for_each_entry (param_value, childs_list, list) {
-		if (strcmp(param_value->name, parameter_name) == 0) {
+		if (param_value->name && strcmp(param_value->name, parameter_name) == 0) {
 			ret_notif = param_value->notification;
 			break;
 		}
@@ -306,6 +306,8 @@ bool parameter_is_other_notif_object_child(char *parent, char *parameter)
 		list_ptr = list_iter.prev;
 		list_iter.prev = list_ptr->prev;
 		list_iter.next = list_ptr->next;
+		if (dm_parameter->name == NULL)
+			continue;
 		if (strcmp(parent, dm_parameter->name) == 0)
 			continue;
 		if (strncmp(parent, dm_parameter->name, strlen(parent)) == 0 && strncmp(parameter, dm_parameter->name, strlen(dm_parameter->name)) == 0)
@@ -557,7 +559,7 @@ int check_value_change(void)
 			value = NULL;
 			continue;
 		}
-		if ((notification >= 1) && (dm_value != NULL) && (strcmp(dm_value, value) != 0)) {
+		if ((notification >= 1) && (dm_value != NULL) && value && (strcmp(dm_value, value) != 0)) {
 			if (notification == 1 || notification == 2)
 				add_list_value_change(parameter, dm_value, dm_type);
 			if (notification >= 3)
diff --git a/src/rpc.c b/src/rpc.c
index 3cc6557..c8ad4b3 100755
--- a/src/rpc.c
+++ b/src/rpc.c
@@ -71,7 +71,7 @@ char *forced_inform_parameters[] = {
 int xml_handle_message()
 {
 	struct rpc *rpc_cpe;
-	char *c;
+	char *c = NULL;
 	int i;
 	mxml_node_t *b;
 	struct config *conf = &(cwmp_main->conf);
@@ -82,6 +82,10 @@ int xml_handle_message()
 		cwmp_main->session->fault_code = FAULT_CPE_INTERNAL_ERROR;
 		goto fault;
 	}
+	if (c == NULL) {
+		cwmp_main->session->fault_code = FAULT_CPE_INTERNAL_ERROR;
+		goto fault;
+	}
 	b = mxmlFindElement(cwmp_main->session->tree_in, cwmp_main->session->tree_in, c, NULL, NULL, MXML_DESCEND);
 
 	if (!b) {
@@ -133,7 +137,7 @@ int xml_handle_message()
 	CWMP_LOG(INFO, "SOAP RPC message: %s", c);
 	rpc_cpe = NULL;
 	for (i = 1; i < __RPC_CPE_MAX; i++) {
-		if (i != RPC_CPE_FAULT && strcmp(c, rpc_cpe_methods[i].name) == 0 && rpc_cpe_methods[i].amd <= conf->supported_amd_version) {
+		if (i != RPC_CPE_FAULT && c && strcmp(c, rpc_cpe_methods[i].name) == 0 && rpc_cpe_methods[i].amd <= conf->supported_amd_version) {
 			CWMP_LOG(INFO, "%s RPC is supported", c);
 			rpc_cpe = cwmp_add_session_rpc_cpe(i);
 			if (rpc_cpe == NULL)
@@ -169,7 +173,8 @@ static int xml_prepare_parameters_inform(struct cwmp_dm_parameter *dm_parameter,
 		if (!b)
 			return 0;
 		mxml_node_t *c = mxmlGetFirstChild(b);
-		if (c && strcmp(dm_parameter->value, mxmlGetOpaque(c)) == 0)
+		const char *c_opaque = c ? mxmlGetOpaque(c) : NULL;
+		if (c && c_opaque && strcmp(dm_parameter->value, c_opaque) == 0)
 			return 0;
 		mxmlDelete(b);
 		(*size)--;
@@ -178,6 +183,8 @@ static int xml_prepare_parameters_inform(struct cwmp_dm_parameter *dm_parameter,
 
 	char *type = (dm_parameter->type && dm_parameter->type[0] != '\0') ? dm_parameter->type : "xsd:string";
 	if (node == NULL) {
+		if (dm_parameter->name == NULL)
+			return -1;
 		struct xml_data_struct inform_params_xml_attrs = {0};
 		struct xml_list_data *xml_data = calloc(1, sizeof(struct xml_list_data));
 		xml_data->param_name = strdup(dm_parameter->name);
@@ -209,6 +216,8 @@ bool event_in_session_event_list(char *event, struct list_head *list_evts)
 {
 	struct event_container *event_container = NULL;
 
+	if (event == NULL)
+		return false;
 	list_for_each_entry (event_container, list_evts, list) {
 		if (strcmp(event, EVENT_CONST[event_container->code].CODE) == 0)
 			return true;
@@ -508,6 +517,8 @@ int set_rpc_acs_to_supported(char *rpc_name)
 {
 	int i;
 
+	if (rpc_name == NULL)
+		return -1;
 	for (i=1; i < __RPC_ACS_MAX; i++) {
 		if (strcmp(rpc_acs_methods[i].name, rpc_name) == 0) {
 			rpc_acs_methods[i].acs_support = RPC_ACS_SUPPORT;
@@ -530,6 +541,7 @@ int cwmp_rpc_acs_parse_response_get_rpc_methods(struct rpc *this __attribute__((
 {
 	mxml_node_t *tree, *b;
 	tree = cwmp_main->session->tree_in;
+
 	b = mxmlFindElement(tree, tree, "cwmp:GetRPCMethodsResponse", NULL, NULL, MXML_DESCEND);
 	if (!b)
 		goto error;
@@ -538,8 +550,9 @@ int cwmp_rpc_acs_parse_response_get_rpc_methods(struct rpc *this __attribute__((
 			const char *node_opaque = mxmlGetOpaque(b);
 			mxml_node_t *parent_node = mxmlGetParent(b);
 			mxml_type_t node_type = mxmlGetType(b);
+			const char *parent_name = parent_node ? mxmlGetElement(parent_node) : NULL;
 
-			if (node_type == MXML_OPAQUE && mxmlGetType(parent_node) == MXML_ELEMENT && node_opaque && strcmp((char *) mxmlGetElement(parent_node), "string") == 0)
+			if (node_type == MXML_OPAQUE && mxmlGetType(parent_node) == MXML_ELEMENT && node_opaque && parent_name && strcmp((char *) mxmlGetElement(parent_node), "string") == 0)
 				set_rpc_acs_to_supported((char*)node_opaque);
 
 			b = mxmlWalkNext(b, cwmp_main->session->body_in, MXML_DESCEND);
@@ -925,12 +938,14 @@ fault:
 int is_duplicated_parameter(mxml_node_t *param_node)
 {
 	mxml_node_t *b = param_node;
+	const char *node_name = param_node ? mxmlGetElement(param_node) : NULL;
 	while ((b = mxmlWalkNext(b, cwmp_main->session->body_in, MXML_DESCEND))) {
 		const char *node_opaque = mxmlGetOpaque(b);
 		mxml_node_t *parent = mxmlGetParent(b);
 		mxml_type_t node_type = mxmlGetType(b);
+		const char *parent_name = parent ? mxmlGetElement(parent) : NULL;
 
-		if (node_type == MXML_OPAQUE && node_opaque && mxmlGetType(parent) == MXML_ELEMENT && !strcmp(mxmlGetElement(parent), "Name")) {
+		if (node_type == MXML_OPAQUE && node_opaque && mxmlGetType(parent) == MXML_ELEMENT && node_name && parent_name && !strcmp(parent_name, "Name")) {
 			if (strcmp(node_opaque, mxmlGetOpaque(param_node)) == 0)
 				return -1;
 		}
@@ -1406,7 +1421,7 @@ int cancel_transfer(char *key)
 	if (list_download.next != &(list_download)) {
 		list_for_each_safe (ilist, q, &(list_download)) {
 			struct download *pdownload = list_entry(ilist, struct download, list);
-			if (strcmp(pdownload->command_key, key) == 0) {
+			if (key && pdownload->command_key && strcmp(pdownload->command_key, key) == 0) {
 				bkp_session_delete_download(pdownload);
 				bkp_session_save();
 				list_del(&(pdownload->list));
@@ -1419,7 +1434,7 @@ int cancel_transfer(char *key)
 	if (list_upload.next != &(list_upload)) {
 		list_for_each_safe (ilist, q, &(list_upload)) {
 			struct upload *pupload = list_entry(ilist, struct upload, list);
-			if (strcmp(pupload->command_key, key) == 0) {
+			if (key && pupload->command_key &&  strcmp(pupload->command_key, key) == 0) {
 				bkp_session_delete_upload(pupload);
 				bkp_session_save();
 				list_del(&(pupload->list));
@@ -1455,9 +1470,9 @@ int cwmp_handle_rpc_cpe_reboot(struct rpc *rpc)
 	if (fault_code)
 		goto fault;
 
-	commandKey = icwmp_strdup(command_key);
+	commandKey = icwmp_strdup(command_key ? command_key : "");
 
-	event_container = cwmp_add_event_container(EVENT_IDX_M_Reboot, command_key);
+	event_container = cwmp_add_event_container(EVENT_IDX_M_Reboot, command_key ? command_key : "");
 	if (event_container == NULL)
 		goto fault;
 
@@ -2010,6 +2025,8 @@ int cwmp_handle_rpc_cpe_fault(struct rpc *rpc)
 		struct xml_data_struct spv_fault_xml_attrs = {0};
 		spv_fault_xml_attrs.data_list = &spv_fault_xml_data_list;
 		body = mxmlFindElement(cwmp_main->session->tree_out, cwmp_main->session->tree_out, "cwmp:Fault", NULL, NULL, MXML_DESCEND);
+		if (body == NULL)
+			return -1;
 		fault = build_xml_node_data(SOAP_SPV_FAULT, body, &spv_fault_xml_attrs);
 		if (fault)
 			return -1;
diff --git a/src/subprocess.c b/src/subprocess.c
index 48c16df..2db07c1 100644
--- a/src/subprocess.c
+++ b/src/subprocess.c
@@ -24,7 +24,7 @@ bool check_task_name(char *task, char *name)
 {
 	struct blob_buf bbuf;
 
-	if (strcmp(task, "{}") == 0)
+	if (task && strcmp(task, "{}") == 0)
 		return false;
 
 	memset(&bbuf, 0, sizeof(struct blob_buf));
diff --git a/src/xml.c b/src/xml.c
index b4a2aac..b223e55 100644
--- a/src/xml.c
+++ b/src/xml.c
@@ -189,6 +189,8 @@ int load_upload_filetype(mxml_node_t *b, struct xml_data_struct *xml_attrs)
 	if (t == NULL)
 		return FAULT_CPE_INTERNAL_ERROR;
 	const char *node_opaque = mxmlGetOpaque(t);
+	if (node_opaque == NULL)
+		return FAULT_CPE_INVALID_ARGUMENTS;
 	char log_config[16]={0};
 	int ftype, instance = 0;
 
@@ -425,7 +427,8 @@ int load_xml_list_node_data(int node_ref, mxml_node_t *node, struct xml_data_str
 	b = mxmlWalkNext(node, node, MXML_DESCEND);
 	while (b) {
 		if (mxmlGetType(b) == MXML_ELEMENT) {
-			if (strcmp(xml_nodes_data[node_ref].tag_list_name, mxmlGetElement(b)) == 0) {
+			const char *b_name = b ? mxmlGetElement(b) : NULL;
+			if (b_name && strcmp(xml_nodes_data[node_ref].tag_list_name, b_name) == 0) {
 				struct xml_list_data *xml_data = calloc(1, sizeof(struct xml_list_data));
 
 				struct xml_data_struct xml_attrs_args = {0};
@@ -540,11 +543,10 @@ int load_single_xml_node_data(int node_ref, mxml_node_t *node, struct xml_data_s
 			}
 
 			char *opaque = NULL;
-			if (firstchild) {
+			if (firstchild)
 				opaque = (char*) mxmlGetOpaque(firstchild);
-			}
 
-			if (!validate_xml_node_opaque_value((char*)mxmlGetElement(b), opaque, xml_attrs->validations, xml_attrs->nbre_validations))
+			if (opaque != NULL && !validate_xml_node_opaque_value(b ? (char*)mxmlGetElement(b) : NULL, opaque, xml_attrs->validations, xml_attrs->nbre_validations))
 				return FAULT_CPE_INVALID_ARGUMENTS;
 
 			if ((xml_type != XML_FUNC) && (xml_type != XML_REC))
@@ -618,13 +620,14 @@ void cwmp_param_fault_list_to_xml_data_list(struct list_head *param_fault_list,
 
 void dm_parameter_list_to_xml_data_list(struct list_head *dm_parameter_list, struct list_head *xml_data_list)
 {
-	struct cwmp_dm_parameter *param_value;
+	struct cwmp_dm_parameter *param_value = NULL;
 	list_for_each_entry (param_value, dm_parameter_list, list) {
+		if (!param_value->name)
+			continue;
 		struct xml_list_data *xml_data;
-
 		xml_data = calloc(1, sizeof(struct xml_list_data));
 		list_add_tail(&xml_data->list, xml_data_list);
-		xml_data->param_name = strdup(param_value->name ? param_value->name : "");
+		xml_data->param_name = strdup(param_value->name);
 		xml_data->param_value = strdup(param_value->value ? param_value->value : "");
 		xml_data->param_type = strdup(param_value->type ? param_value->type : "");
 		xml_data->access_list = strdup(param_value->access_list ? param_value->access_list : "");
@@ -909,7 +912,7 @@ mxmlFindElementOpaque(mxml_node_t *node, /* I - Current node */
 	while (node != NULL) {
 		const char *op = mxmlGetOpaque(node);
 		if (mxmlGetType(node) == MXML_OPAQUE && op && (!strcmp(op, text))) {
-			return (node);
+			return node;
 		}
 
 		if (descend == MXML_DESCEND)
@@ -929,7 +932,7 @@ char *xml__get_attribute_name_by_value(mxml_node_t *node,	const char  *value)
 	for (i = 0; i < attributes_nbre; i++) {
 		char *attr_name = NULL;
 		const char *attr_value = mxmlElementGetAttrByIndex(node, i, (const char **)&attr_name);
-		if (strcmp(attr_value, value) == 0)
+		if (attr_value && strcmp(attr_value, value) == 0)
 			return attr_name;
 	}
 	return NULL;
@@ -1018,7 +1021,7 @@ int xml_send_message(struct rpc *rpc)
 			FREE(msg_out);
 			msg_out = (char *)zmsg_out;
 		} else {
-			msg_out_len = strlen(msg_out);
+			msg_out_len = msg_out ? strlen(msg_out) : 0;
 		}
 	}
 	while (1) {
@@ -1066,17 +1069,19 @@ int xml_send_message(struct rpc *rpc)
 	b = mxmlFindElement(cwmp_main->session->tree_in, cwmp_main->session->tree_in, c, NULL, NULL, MXML_DESCEND);
 	if (b) {
 		b = mxmlWalkNext(b, cwmp_main->session->tree_in, MXML_DESCEND_FIRST);
-		if (b && mxmlGetType(b) == MXML_OPAQUE && mxmlGetOpaque(b))
-			cwmp_main->session->hold_request = atoi(mxmlGetOpaque(b));
+		const char *bname = b ? mxmlGetOpaque(b) : NULL;
+		if (b && mxmlGetType(b) == MXML_OPAQUE && bname)
+			cwmp_main->session->hold_request = atoi(bname);
 	} else {
 		if (snprintf(c, sizeof(c), "%s:%s", ns.cwmp, "HoldRequests") == -1)
 			goto error;
 
 		b = mxmlFindElement(cwmp_main->session->tree_in, cwmp_main->session->tree_in, c, NULL, NULL, MXML_DESCEND);
+		const char *bname = b ? mxmlGetOpaque(b) : NULL;
 		if (b) {
 			b = mxmlWalkNext(b, cwmp_main->session->tree_in, MXML_DESCEND_FIRST);
-			if (b && mxmlGetType(b) == MXML_OPAQUE && mxmlGetOpaque(b))
-				cwmp_main->session->hold_request = atoi(mxmlGetOpaque(b));
+			if (b && mxmlGetType(b) == MXML_OPAQUE && bname)
+				cwmp_main->session->hold_request = atoi(bname);
 		}
 	}