[sr-dev] negative values in branch picking priority - integer overflow

[Jasmin Schnatterbeck]

Hi,

I think I discovered a bug in t_pick_branch, lines

1194          if (get_prio(inc_code, rpl)<get_prio(best_s, rpl)) {
...
1210    get_prio(t->uac[b].last_received, rpl)<get_prio(best_s, rpl) )


the second argument of get_prio() does ALWAYS corresponds to the branch 
b, which is iterated within the loop:
rpl = t->uac[b].reply;

The "best_s"-branch may have a different rpl - nevertheless, get_prio() 
is always called with the same "rpl"!

So e.g. it can happen, that in the first iteration (best_s is 0) if the 
branch "b" has a faked reply (=> rpl== FAKED_REPLY) and the module 
parameter "faked_reply_prio" is +1000, get_prio() does the following

1168         if (rpl == FAKED_REPLY) {
1169                 /* Add faked_reply penalty */
1170                 return prio + faked_reply_prio;

=> 32000 + 1000   !!! overflow !!!

rpl == FAKED_REPLY because get_prio(best_s, rpl) is called with the 
currently-iterated rpl parameter!

In my opinion it needs to be stored for the best_s, whether it has a 
FAKED_REPLY or not, best_s_rpl or something....

Cheers
Jasmin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5407 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130608/3112e4df/attachment.bin>