[reSIProcate] Array overflow bug in Headers::CommaEncoding and similar arrays

Byron Campen bcampen at estacado.net
Thu Jul 27 21:45:28 CDT 2006 

	Yeah, this bug was tracked down a few months ago, and is fixed in  
svn head. Good eye though.

Best regards,
Byron Campen

> Hello all,
>
> I think resiprocate-0.9.0-5019 has an array overflow bug affecting  
> CommaEncoding and similar arrays inside the Headers class. This bug  
> is easy to reproduce as shown below. I have come up with two  
> possible ways of fixing the bug but I'd like to know what other  
> developers on the list think.
>
> Thanks,
>
> Jorge
>
> BEGIN: Steps to reproduce array overflow bug
> ------------------------------------------------------------
> STEP 1) Modify "Headers::isCommaEncoding" as follows:
>
> bool
> Headers::isCommaEncoding(Type type)
> {
>    if(type+1 >= sizeof(CommaEncoding))
>    {
>       std::cout << "OUT_OF_RANGE_ERROR:"
>                 << " (int)type+1 = " << (int)type+1
>                 << " sizeof(CommaEncoding) = " << sizeof 
> (CommaEncoding)
>                 << std::endl;
>       assert(false);
>    }
>    return CommaEncoding[type+1];
> }
>
> ------------------------------------------------------------
> STEP 2) Run "resiprocate/test/testSipMessage"
>
> ------------------------------------------------------------
> STEP 3) Program fails as follows:
>
> OUT_OF_RANGE_ERROR: (int)type+1 = 79 sizeof(CommaEncoding) = 78
> Assertion failed: false, file Headers.cxx, line 40
> Abort (core dumped)
>
> ------------------------------------------------------------
> STEP 4) Minimum code required to duplicate error is as follows:
>
> int
> main(int argc, char** argv)
> {
>    SipMessage m;
>    UnknownHeaderType h("tweedle-dee");
>    m.header(h).push_back(StringCategory("Joe"));
>    m.header(h).push_back(StringCategory("Banks"));
>    const Data d(Data::from(m));
>    std::cout << "d = [" << d << "]" << std::endl;
>    return 0;
> }
>
> ------------------------------------------------------------
> END: Steps to reproduce array overflow bug
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel at list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20060727/9ab7cadb/attachment.bin>

More information about the resiprocate-devel mailing list