[OpenSIPS-Devel] libsms_getsms.c out of bounds memory access
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Wed Jun 23 23:02:04 CEST 2010
Hi Pascal,
My bad - I counted 7 and not 6 char in the CMGR cmd :(....So, you are right.
I guess the 2 cases must be separately treated (the CMGL and CMGR) to
avoid any problems.
Regards,
Bogdan
Pascal Cuoq wrote:
>
> Hi!
>
> > If answer is "xxxxxxxx+CMGR:" string, the position var will point at
> > char "+" (line 171).
>
> We agree so far.
>
> > Now, following the code, line 178, the beginning var will point at the
> > \0 null terminator;
>
> "+CMGR:" is 6 characters. Variable position is pointing at the first one,
> so after executing line 178, variable beginning points *past* the
> terminating zero and into invalid memory, does it not?
>
> Then "end=beginning;" is executed, and next "*end" from
> the for-loop condition is an invalid access.
>
> Pascal
>
>
> ------------------------------------------------------------------------
> Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign
> up now. <https://signup.live.com/signup.aspx?id=60969>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>
--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro
More information about the Devel
mailing list