[asterisk-dev] Version 1.4.19-rc2 bug

Terry Sanders asterisk at vertone.co.uk
Tue Mar 11 18:41:37 CDT 2008


I've just compiled rc2 and noticed this compile warning:

chan_misdn.c: In function 'misdn_call':
chan_misdn.c:2015: warning: array subscript is above array bounds

Looking at the code I see this:

        char *opts=NULL, *ext;
        char dest_cp[256];

        {
                strncpy(dest_cp,dest,sizeof(dest_cp)-1);
                dest_cp[sizeof(dest_cp)]=0;			<----- Warning for this line

                ext=dest_cp;


which is wrting a zero one past the end of the array. If I remember correctly 
how C allocates local variables this means the zero will actually go into 
the "ext" variable and then be immediately overwritten by the address of the 
dest_cp array. As a result, if the passed in dest string is 255 or more 
characters long then you might end up processing an unterminated string.

Regards

Terry



More information about the asterisk-dev mailing list