On Tue, Apr 30, 2013 at 02:42:22PM +0200, Andreas
Granig wrote:
Hi,
We've seen this behaviour as well and worked around it using
avp_subst with regex, as we didn't have the time yet to investigate
further.
I was also able to work around it with:
$var(tmp) = $(var(x){s.substr,1,0});
$var(x) = $(var(tmp));
But basically I can confirm this issue.
It
seems that at least the s.substr, s.select, s.strip, s.striptail,
line.at and line.sw transformations are vulnerable to this issue since
they reuse the input buffer. I think that the URI-parsing
transformations are also vulnerable since they also reuse the existing
input as far as I can see.
I can probably write a patch to change the 6 string transformations to
use _tr_buffer, but I dont know if that is the best solution. It may be
better to fix the variable assignment functions to make a copy of the
rvalue if it overlaps the lvalue before the assignment, maybe someone
who is more knowledgable with the kamailio source code can take a look
at this.
please do the patch to store the new value in _tr_buffer and attach it
to mailing list or bug tracker. I haven't looked at code yet, but sounds
like there is indeed an issue. I will review the patch and apply it.
Cheers,
Daniel
--
Daniel-Constantin Mierla -