[reSIProcate] Array overflow bug in Headers::CommaEncoding and similar arrays
- From: "Jorge Martin-de-Nicolas" <Jorge@xxxxxxxxxxx>
- Date: Thu, 27 Jul 2006 19:27:11 -0500
Hello all,
I think resiprocate-0.9.0-5019 has an array overflow bug affecting
CommaEncoding and similar arrays inside the Headers class. This bug is easy to
reproduce as shown below. I have come up with two possible ways of fixing the
bug but I'd like to know what other developers on the list think.
Thanks,
Jorge
BEGIN: Steps to reproduce array overflow bug
------------------------------------------------------------
STEP 1) Modify "Headers::isCommaEncoding" as follows:
bool
Headers::isCommaEncoding(Type type)
{
if(type+1 >= sizeof(CommaEncoding))
{
std::cout << "OUT_OF_RANGE_ERROR:"
<< " (int)type+1 = " << (int)type+1
<< " sizeof(CommaEncoding) = " << sizeof(CommaEncoding)
<< std::endl;
assert(false);
}
return CommaEncoding[type+1];
}
------------------------------------------------------------
STEP 2) Run "resiprocate/test/testSipMessage"
------------------------------------------------------------
STEP 3) Program fails as follows:
OUT_OF_RANGE_ERROR: (int)type+1 = 79 sizeof(CommaEncoding) = 78
Assertion failed: false, file Headers.cxx, line 40
Abort (core dumped)
------------------------------------------------------------
STEP 4) Minimum code required to duplicate error is as follows:
int
main(int argc, char** argv)
{
SipMessage m;
UnknownHeaderType h("tweedle-dee");
m.header(h).push_back(StringCategory("Joe"));
m.header(h).push_back(StringCategory("Banks"));
const Data d(Data::from(m));
std::cout << "d = [" << d << "]" << std::endl;
return 0;
}
------------------------------------------------------------
END: Steps to reproduce array overflow bug