< Previous by Date Date Index Next by Date >
  Thread Index Next in Thread >

[reSIProcate] Array overflow bug in Headers::CommaEncoding and similar arrays


Hello all,

I think resiprocate-0.9.0-5019 has an array overflow bug affecting 
CommaEncoding and similar arrays inside the Headers class. This bug is easy to 
reproduce as shown below. I have come up with two possible ways of fixing the 
bug but I'd like to know what other developers on the list think.

Thanks,

Jorge

BEGIN: Steps to reproduce array overflow bug
------------------------------------------------------------
STEP 1) Modify "Headers::isCommaEncoding" as follows:

bool 
Headers::isCommaEncoding(Type type)
{
   if(type+1 >= sizeof(CommaEncoding))
   {
      std::cout << "OUT_OF_RANGE_ERROR:"
                << " (int)type+1 = " << (int)type+1
                << " sizeof(CommaEncoding) = " << sizeof(CommaEncoding)
                << std::endl;
      assert(false);
   }
   return CommaEncoding[type+1];
}

------------------------------------------------------------
STEP 2) Run "resiprocate/test/testSipMessage"

------------------------------------------------------------
STEP 3) Program fails as follows:

OUT_OF_RANGE_ERROR: (int)type+1 = 79 sizeof(CommaEncoding) = 78
Assertion failed: false, file Headers.cxx, line 40
Abort (core dumped)

------------------------------------------------------------
STEP 4) Minimum code required to duplicate error is as follows:

int
main(int argc, char** argv)
{
   SipMessage m;
   UnknownHeaderType h("tweedle-dee");
   m.header(h).push_back(StringCategory("Joe"));
   m.header(h).push_back(StringCategory("Banks"));
   const Data d(Data::from(m));
   std::cout << "d = [" << d << "]" << std::endl;
   return 0;
}

------------------------------------------------------------
END: Steps to reproduce array overflow bug