[SR-Users] [PATCH] Memory corruption using s.substr transformation

[Martin Mikkelsen]

On Tue, Apr 30, 2013 at 02:42:22PM +0200, Andreas Granig wrote:
> Hi,
> 
> We've seen this behaviour as well and worked around it using
> avp_subst with regex, as we didn't have the time yet to investigate
> further.

I was also able to work around it with:

  $var(tmp) = $(var(x){s.substr,1,0});
  $var(x) = $(var(tmp));

> But basically I can confirm this issue.

It seems that at least the s.substr, s.select, s.strip, s.striptail,
line.at and line.sw transformations are vulnerable to this issue since
they reuse the input buffer. I think that the URI-parsing
transformations are also vulnerable since they also reuse the existing
input as far as I can see.

I can probably write a patch to change the 6 string transformations to
use _tr_buffer, but I dont know if that is the best solution. It may be
better to fix the variable assignment functions to make a copy of the
rvalue if it overlaps the lvalue before the assignment, maybe someone
who is more knowledgable with the kamailio source code can take a look
at this.

-- 
Martin Mikkelsen, Zisson AS