#9 core dump generated by action

v3.4
open
nobody
sipp (50)
5
2012-12-15
2006-09-15
source_user
No

I get a core dump (origin: cAction::getSubVarId () )
due to the following action:
<recv request="NOTIFY" next="7" test="7">
<action>
<ereg regexp="([a-zA-Z]+)"
search_in="hdr"
header="Subscription-State: "
assign_to="2" />
<ereg regexp="(terminated)"
search_in="hdr"
header="Subscription-State: "
assign_to="7" />
<log message="INFO: Received Notify:
Subscription-State:[$2]" />

</action>
</recv>
When I comment the action, I don't get any core dump.

On analysis of the code I figured out that the code
dump is generated by the following function in
call.cpp
void call::extractSubMessage(char * msg, char *
matchingString, char* result)
{
char * ptr;
int sizeOf;
int i = 0;
int len;

ptr = strstr(msg, matchingString);
if(ptr != NULL) {
len = strlen(matchingString);
strcpy(result, ptr+len);
sizeOf = strlen(result);
if(sizeOf >= MAX_SUB_MESSAGE_LENGTH)
sizeOf = MAX_SUB_MESSAGE_LENGTH-1;
while((i<sizeOf) && (result[i] != '\n') && (result
[i] != '\r'))
i++;
result[i] = '\0';
} else {
result[0] = '\0';
}
}
In this function, the strcpy(result, ptr+len);
doesn't care about the size of the "result" buffer.
and then later truncate the buffer depending on \r\n
position. This strcpy can be dangerous if the (ptr +
len) length is bigger than MAX_SUB_MESSAGE_LENGTH.
The code should be as follows
void call::extractSubMessage(char * msg, char *
matchingString, char* result)
{
char * ptr;
char *begin, *end;
int sizeOf;
int i = 0;
int len;

ptr = strstr(msg, matchingString);
if(ptr != NULL) {
len = strlen(matchingString);
begin = ptr + len;
end = strstr(begin, "\r\n");
if ((!end) || ((end - begin) >
(MAX_SUB_MESSAGE_LENGTH-1)))
{
strncpy(result, begin, MAX_SUB_MESSAGE_LENGTH-
1);
result[MAX_SUB_MESSAGE_LENGTH-1] = '\0';
}
else
{
strncpy(result, begin, (end - begin));
result[end - begin] = '\0';
}
} else {
result[0] = '\0';
}
}

Here we only copy the str upto \r\n boundary or
MAX_SUB_MESSAGE_LENGTH-1, instead of truncating
afterwards.

Discussion

  • Olivier Boulkroune

    Logged In: YES
    user_id=1475960
    Originator: NO

    To be tested

     
  • Rob Day

    Rob Day - 2012-12-15
    • milestone: --> v3.4
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks