[OpenSIPS-Devel] [ opensips-Bugs-3481737 ] Memory corruption using via-parsing trasformations

[SourceForge.net]

Bugs item #3481737, was opened at 2012-01-30 12:07
Message generated for change (Comment added) made by ekobi
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3481737&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Kobi Eshun (ekobi)
Assigned to: Nobody/Anonymous (nobody)
Summary: Memory corruption using via-parsing trasformations

Initial Comment:
Use of string transformations such as this:


	$var(edgetransport) = $(var(edgevia){via.transport}{s.tolower});

result in corruption to the package memory structures. Cause is a bad test in transformations.c:tr_eval_via(). Fixed with commit 8696 to head:


tigger:opensips-trunk kobi$ svn diff
Index: transformations.c
===================================================================
--- transformations.c	(revision 8695)
+++ transformations.c	(working copy)
@@ -638,7 +638,7 @@
 			strncmp(_tr_via.s, val->rs.s, val->rs.len)!=0
 			|| _tr_parsed_via==0)
 	{
-		if(val->rs.len>_tr_via.len)
+		if(4+val->rs.len>_tr_via.len)
 		{
 			if(_tr_via.s) pkg_free(_tr_via.s);
 			_tr_via.s = (char*)pkg_malloc((val->rs.len+4)*sizeof(char));

--
kobi

----------------------------------------------------------------------

>Comment By: Kobi Eshun (ekobi)
Date: 2012-01-30 12:17

Message:
Fixed with SVN commit commit 8696 to head. Should consider back-porting to
1.6.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3481737&group_id=232389