Patches item #1559361, was opened at 2006-09-15 10:17
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=637566&aid=1559361&group_id=104305
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: sipp
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: source_user (source_user)
Assigned to: Nobody/Anonymous (nobody)
Summary: core dump generated by action
Initial Comment:
I get a core dump (origin: cAction::getSubVarId () )
due to the following action:
<recv request="NOTIFY" next="7" test="7">
<action>
<ereg regexp="([a-zA-Z]+)"
search_in="hdr"
header="Subscription-State: "
assign_to="2" />
<ereg regexp="(terminated)"
search_in="hdr"
header="Subscription-State: "
assign_to="7" />
<log message="INFO: Received Notify:
Subscription-State:[$2]" />
</action>
</recv>
When I comment the action, I don't get any core dump.
On analysis of the code I figured out that the code
dump is generated by the following function in
call.cpp
void call::extractSubMessage(char * msg, char *
matchingString, char* result)
{
char * ptr;
int sizeOf;
int i = 0;
int len;
ptr = strstr(msg, matchingString);
if(ptr != NULL) {
len = strlen(matchingString);
strcpy(result, ptr+len);
sizeOf = strlen(result);
if(sizeOf >= MAX_SUB_MESSAGE_LENGTH)
sizeOf = MAX_SUB_MESSAGE_LENGTH-1;
while((i<sizeOf) && (result[i] != '\n') && (result
[i] != '\r'))
i++;
result[i] = '\0';
} else {
result[0] = '\0';
}
}
In this function, the strcpy(result, ptr+len);
doesn't care about the size of the "result" buffer.
and then later truncate the buffer depending on \r\n
position. This strcpy can be dangerous if the (ptr +
len) length is bigger than MAX_SUB_MESSAGE_LENGTH.
The code should be as follows
void call::extractSubMessage(char * msg, char *
matchingString, char* result)
{
char * ptr;
char *begin, *end;
int sizeOf;
int i = 0;
int len;
ptr = strstr(msg, matchingString);
if(ptr != NULL) {
len = strlen(matchingString);
begin = ptr + len;
end = strstr(begin, "\r\n");
if ((!end) || ((end - begin) >
(MAX_SUB_MESSAGE_LENGTH-1)))
{
strncpy(result, begin, MAX_SUB_MESSAGE_LENGTH-
1);
result[MAX_SUB_MESSAGE_LENGTH-1] = '\0';
}
else
{
strncpy(result, begin, (end - begin));
result[end - begin] = '\0';
}
} else {
result[0] = '\0';
}
}
Here we only copy the str upto \r\n boundary or
MAX_SUB_MESSAGE_LENGTH-1, instead of truncating
afterwards.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=637566&aid=1559361&group_id=104305
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Sipp-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sipp-users
