<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Hello,<div><br></div><div>There is a potential out-of-bounds memory access in function</div><div>fetchsms in libsms_getsms.c in the current SVN HEAD version</div><div>of this file (but don't worry, it has been there since OpenSER).</div><div><br></div><div>If the answer returned happens to be</div><div><br></div><div>".....about 500 characters of gibberish.....+CMGL: "</div><div><br></div><div>assuming the right branch is taken,</div><div>the test (*end<'9' && *end>'0') at line 155</div><div>will be true the first time (*end being the '\0' char that can</div><div>be expected to have been put there to terminate the string</div><div>by function put_command). On the second iteration,</div><div>*end will be an illegal memory access.</div><div><br></div><div>We found this bug using the value analysis of Frama-C:</div><div>http://frama-c.com/</div><div><br></div><div>Best regards,</div><div><br></div><div>Pascal</div><div>__</div><div><br></div><div>Some details in case anyone is interested:</div><div><br></div><div>Frama-C is a collection of software analyzers intended</div><div>among other things for verification of critical code.</div><div>During the verification of critical code, you start with</div><div>code that is already pretty much bug-free because</div><div>of the way it is developed, and when you are finished,</div><div>you are definitely convinced that it is bug-free. In order</div><div>to be usable for verification, Frama-C and the couple</div><div>of existing comparable tools chose to be "correct":</div><div>they never remain silent when there is a possibility of</div><div>a bug somewhere. This means that they have</div><div>more false positives than static analyzers intended for</div><div>debugging, which always have the choice to remain</div><div>silent when their analyses are imprecise and they</div><div>are not sure whether there is a bug or not.</div><div><br></div><div>We would never have found the bug above among all</div><div>the false positives if we had tried to analyze the whole</div><div>of OpenSIPS, but as it turned out, a bit of the function</div><div>had had another bug previously and both the version</div><div>with the two bugs and the version with one bug corrected</div><div>were included in a benchmark for static analyzers:</div><div><br></div><div>http://se.cs.toronto.edu/index.php/Verisec_Suite</div><div><br></div><div>(case CVE-2006-6876)</div><div><br></div><div>It tells a lot that the bug was included by accident</div><div>in a static analysis benchmark on which several</div><div>analyzers were tried, and that it wasn't discovered</div><div>earlier. Neither verification analyzers nor debugging</div><div>analyzers are not perfect yet, but hey, we did find </div><div>the bug in the end.</div><div><br></div><div><br></div> <br /><hr />Hotmail: Trusted email with powerful SPAM protection. <a href='https://signup.live.com/signup.aspx?id=60969' target='_new'>Sign up now.</a></body>
</html>