Package: siproxd Version: 1:0.5.10+cvs20050423-1 Severity: normal Tags: patch
In proxy.c, functions proxy_request() and proxy_response(), an argument of type osip_uri_t* is used for a "%s" conversion specification. However, osip_uri_t is a struct; it seems like what really was meant is its member "host" of type char*. This seems to only affect siproxd if debug output is activated, DBCLASS_PROXY is included in debug_level and a host name read from the network cannot be resolved. By chance I happened to hit it all the same. ;) Luckily, on my system, a NUL byte was less than 20 bytes of garbage away. The code in question is also present in 1:0.5.11-1 (testing, unstable), as proxy.c is identical to 1:0.5.10+cvs20050423-1 (before applying debian patches). In current upstream (24Feb2006), the code has been removed from the two functions in proxy.c, but added to sip_find_direction() in sip_utils.c, still containing the bug. Regards, Fabian
diff -du4rN siproxd-0.5.10+cvs20050423/src/proxy.c siproxd-0.5.10+cvs20050423-format/src/proxy.c --- siproxd-0.5.10+cvs20050423/src/proxy.c 2005-04-22 00:41:02.000000000 +0200 +++ siproxd-0.5.10+cvs20050423-format/src/proxy.c 2006-02-24 06:46:53.000000000 +0100 @@ -143,9 +143,9 @@ if (urlmap[i].active == 0) continue; if (get_ip_by_host(urlmap[i].true_url->host, &tmp_addr) == STS_FAILURE) { DEBUGC(DBCLASS_PROXY, "proxy_request: cannot resolve host [%s]", - urlmap[i].true_url); + urlmap[i].true_url->host); } else { DEBUGC(DBCLASS_PROXY, "proxy_request: reghost:%s ip:%s", urlmap[i].true_url->host, utils_inet_ntoa(from->sin_addr)); if (memcmp(&tmp_addr, &from->sin_addr, sizeof(tmp_addr)) == 0) { @@ -639,9 +639,9 @@ if (urlmap[i].active == 0) continue; if (get_ip_by_host(urlmap[i].true_url->host, &tmp_addr) == STS_FAILURE) { DEBUGC(DBCLASS_PROXY, "proxy_response: cannot resolve host [%s]", - urlmap[i].true_url); + urlmap[i].true_url->host); } else { DEBUGC(DBCLASS_PROXY, "proxy_response: reghost:%s ip:%s", urlmap[i].true_url->host, utils_inet_ntoa(from->sin_addr)); if (memcmp(&tmp_addr, &from->sin_addr, sizeof(tmp_addr)) == 0) {
signature.asc
Description: Digital signature