[OpenSIPS-Devel] libsms_getsms.c out of bounds memory access
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Thu Jun 17 21:28:20 CEST 2010
Hi Pascal,
If answer is "xxxxxxxx+CMGR:" string, the position var will point at
char "+" (line 171).
Now, following the code, line 178, the beginning var will point at the
\0 null terminator; same for end var (line 184) and the for will stop
immediately because of the "*end" test. Condition from line 185 will be
true (as end==beginning) and the function will return 0 without any
illegal mem access.
Am I missing something?
Regards,
Bogdan
Pascal Cuoq wrote:
>
> Hello again,
>
> > If the answer returned happens to be
> > ".....about 500 characters of gibberish.....+CMGL: "
> > assuming the right branch is taken,
>
> sorry, this bug report has been in my to-do list
> for too long and now I got the details wrong.
>
> Line 155
>
> while (*end<'9' && *end>'0') end++;
>
> to skip any number of digits that may be there seems to
> be fine (precisely because answer can be assumed to be
> nul-terminated). If think that the bug was in the other
> branch, when executing line 171:
>
> position=strstr(answer,"+CMGR:");
>
> and answer happens to be " .... +CMGR:".
>
> Very sorry for the confusion.
>
> Pascal
>
>
>
> ------------------------------------------------------------------------
> Hotmail: Trusted email with powerful SPAM protection. Sign up now.
> <https://signup.live.com/signup.aspx?id=60969>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>
--
Bogdan-Andrei Iancu
www.voice-system.ro
More information about the Devel
mailing list