[OpenSIPS-Devel] libsms_getsms.c out of bounds memory access

Pascal Cuoq pascal_cuoq at hotmail.com
Fri Jun 18 01:00:37 CEST 2010



> "+CMGR:" is 6 characters. Variable position is pointing at the first one,> so after executing line 178, variable beginning points *past* the> terminating zero and into invalid memory, does it not?
> Then "end=beginning;" is executed, and next "*end" from> the for-loop condition is an invalid access.

Perhaps I can express more clearly what I think is wrong byproposing fixes, which may or may not be the correct fixes:
proposition 1: change line 171 to:    position=strstr(answer,"+CMGR: ");
proposition 2: change line 178 to:    beginning=position+6;
But both these propositions may have subtle side-effects, so I don'tknow which is right. Proposition 1 changes the execution pathof the function if "+CMGR:,,0\r" is a possible answer. Proposition 2adds a space at the beginning of the substring pointed to by variable"beginning" copied to pdu at line 192.
While we are looking at this code, I think that the test"end-beginning<4" at line 188 is always false, but this is a completelyorthogonal issue, and probably harmless. Perhaps the bug is thatthis condition shouldn't be tested at line 185 though, in which case itis not completely harmless.
Pascal
 		 	   		  
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/devel/attachments/20100617/3f844ed7/attachment.htm 


More information about the Devel mailing list