[sr-dev] negative values in branch picking priority - integer overflow
Jasmin Schnatterbeck
js at data-cmr.net
Sat Jun 8 22:18:31 CEST 2013
Hi,
I think I discovered a bug in t_pick_branch, lines
1194 if (get_prio(inc_code, rpl)<get_prio(best_s, rpl)) {
...
1210 get_prio(t->uac[b].last_received, rpl)<get_prio(best_s, rpl) )
the second argument of get_prio() does ALWAYS corresponds to the branch
b, which is iterated within the loop:
rpl = t->uac[b].reply;
The "best_s"-branch may have a different rpl - nevertheless, get_prio()
is always called with the same "rpl"!
So e.g. it can happen, that in the first iteration (best_s is 0) if the
branch "b" has a faked reply (=> rpl== FAKED_REPLY) and the module
parameter "faked_reply_prio" is +1000, get_prio() does the following
1168 if (rpl == FAKED_REPLY) {
1169 /* Add faked_reply penalty */
1170 return prio + faked_reply_prio;
=> 32000 + 1000 !!! overflow !!!
rpl == FAKED_REPLY because get_prio(best_s, rpl) is called with the
currently-iterated rpl parameter!
In my opinion it needs to be stored for the best_s, whether it has a
FAKED_REPLY or not, best_s_rpl or something....
Cheers
Jasmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5407 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130608/3112e4df/attachment.bin>
More information about the sr-dev
mailing list