[SR-Users] [PATCH] Memory corruption using s.substr transformation
Daniel-Constantin Mierla
miconda at gmail.com
Tue Apr 30 17:39:05 CEST 2013
Hello,
On 4/30/13 5:31 PM, Martin Mikkelsen wrote:
> On Tue, Apr 30, 2013 at 02:42:22PM +0200, Andreas Granig wrote:
>> Hi,
>>
>> We've seen this behaviour as well and worked around it using
>> avp_subst with regex, as we didn't have the time yet to investigate
>> further.
> I was also able to work around it with:
>
> $var(tmp) = $(var(x){s.substr,1,0});
> $var(x) = $(var(tmp));
>
>> But basically I can confirm this issue.
> It seems that at least the s.substr, s.select, s.strip, s.striptail,
> line.at and line.sw transformations are vulnerable to this issue since
> they reuse the input buffer. I think that the URI-parsing
> transformations are also vulnerable since they also reuse the existing
> input as far as I can see.
>
> I can probably write a patch to change the 6 string transformations to
> use _tr_buffer, but I dont know if that is the best solution. It may be
> better to fix the variable assignment functions to make a copy of the
> rvalue if it overlaps the lvalue before the assignment, maybe someone
> who is more knowledgable with the kamailio source code can take a look
> at this.
>
please do the patch to store the new value in _tr_buffer and attach it
to mailing list or bug tracker. I haven't looked at code yet, but sounds
like there is indeed an issue. I will review the patch and apply it.
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, San Francisco, USA - June 24-27, 2013
* http://asipto.com/u/katu *
More information about the sr-users
mailing list