Hi,
I think I discovered a bug in t_pick_branch, lines
1194 if (get_prio(inc_code, rpl)<get_prio(best_s, rpl)) {
...
1210 get_prio(t->uac[b].last_received, rpl)<get_prio(best_s, rpl) )
the second argument of get_prio() does ALWAYS corresponds to the branch
b, which is iterated within the loop:
rpl = t->uac[b].reply;
The "best_s"-branch may have a different rpl - nevertheless, get_prio()
is always called with the same "rpl"!
So e.g. it can happen, that in the first iteration (best_s is 0) if the
branch "b" has a faked reply (=> rpl== FAKED_REPLY) and the module
parameter "faked_reply_prio" is +1000, get_prio() does the following
1168 if (rpl == FAKED_REPLY) {
1169 /* Add faked_reply penalty */
1170 return prio + faked_reply_prio;
=> 32000 + 1000 !!! overflow !!!
rpl == FAKED_REPLY because get_prio(best_s, rpl) is called with the
currently-iterated rpl parameter!
In my opinion it needs to be stored for the best_s, whether it has a
FAKED_REPLY or not, best_s_rpl or something....
Cheers
Jasmin
Attachments:
- smime.p7s
(application/pkcs7-signature — 5.3 KB)
Show replies by date