18 Oct
2009
18 Oct
'09
1:46 p.m.
looks like sr parser/parse_event.c has the same bug that i found in
opensips although the implementations are different.
after statement
end = skip_token(tmp.s, tmp.len);
end points to next char after event string.
then end is assigned to tmp.s
tmp.s = end;
and after that if statement compares this next char to ';':
if (tmp.s[0] == ';') {
which looks wrong to me, because that char can be anything if event does
not have any params.
perhaps someone else can recheck if i'm right or wrong.
-- juha
18 Oct
18 Oct
9:27 p.m.
On Sun, Oct 18, 2009 at 12:46 PM, Juha Heinanen <jh(a)tutpro.com> wrote:
looks like sr parser/parse_event.c has the same bug
that i found in
opensips although the implementations are different.
after statement
end = skip_token(tmp.s, tmp.len);
end points to next char after event string.
then end is assigned to tmp.s
tmp.s = end;
and after that if statement compares this next char to ';':
if (tmp.s[0] == ';') {
which looks wrong to me, because that char can be anything if event does
not have any params.
perhaps someone else can recheck if i'm right or wrong.
Yes, I think this is a bug. The bug won't be triggered if event_parser
is only called from parse_event, but given that some modules use
event_parser directly, it can happen that it will try to read a
character which does not belong to the string given in arguments
anymore.
I will fix it, thanks.
-- Jan
19 Oct
19 Oct
8:47 a.m.
Jan Janak writes:
Yes, I think this is a bug. The bug won't be
triggered if event_parser
is only called from parse_event, but given that some modules use
event_parser directly, it can happen that it will try to read a
character which does not belong to the string given in arguments
anymore.
i have seen it happening a couple of times, i.e., event didn't have
params, but the next char in memory just happened to be ';'.
-- juha
5514
days inactive
5515
days old
2 comments
3 participants
participants (3)
-
Jan Janak -
jh@tutpro.com -
Juha Heinanen