[sr-dev] Memory corruption in textopsx
Hugh Waite
hugh.waite at crocodile-rcs.com
Wed Nov 30 23:49:53 CET 2011
Hi,
I've discovered a bug within textopsx to do with msg_apply_changes.
After creating the new request in pkg memory it is memcpy'ed back into
msg->buf. This is a issue when more than one SIP message has been read
from a TCP stream. If the new request is larger it will corrupt the
following message.
I don't know the best way to resolve this immediately, but I felt it was
worth mentioning here as you are about to release 3.2.1.
Best regards,
Hugh
Code path to recreate bug:
Send in 3 requests very quickly on a TCP stream, this is read as a
single block.
tcp_read.c: tcp_read_req()
first message is parsed.
receive_msg() ->
In the cfg, insert a header (e.g. Max-Forwards: 10),
msg_apply_changes() and forward.
More data exists in buffer, which is shifted to the start of the buffer,
however this has been overwritten.
Parse fails on second request.
More information about the sr-dev
mailing list