Hello,
On 4/30/13 5:31 PM, Martin Mikkelsen wrote:
On Tue, Apr 30, 2013 at 02:42:22PM +0200, Andreas Granig wrote:
Hi,
We've seen this behaviour as well and worked around it using
avp_subst with regex, as we didn't have the time yet to investigate
further.
I was also able to work around it with:
$var(tmp) = $(var(x){s.substr,1,0});
$var(x) = $(var(tmp));
But basically I can confirm this issue.
It seems that at least the s.substr, s.select, s.strip, s.striptail,
line.at and line.sw transformations are vulnerable to this issue since
they reuse the input buffer. I think that the URI-parsing
transformations are also vulnerable since they also reuse the existing
input as far as I can see.
I can probably write a patch to change the 6 string transformations to
use _tr_buffer, but I dont know if that is the best solution. It may be
better to fix the variable assignment functions to make a copy of the
rvalue if it overlaps the lvalue before the assignment, maybe someone
who is more knowledgable with the kamailio source code can take a look
at this.
please do the patch to store the new value in _tr_buffer and attach it
to mailing list or bug tracker. I haven't looked at code yet, but sounds
like there is indeed an issue. I will review the patch and apply it.
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, San Francisco, USA - June 24-27, 2013
* http://asipto.com/u/katu *
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
