[asterisk-dev] A bug in libss7!
tian
tian00di00 at live.com
Thu Jul 16 02:36:59 CDT 2009
Hi, guys!
I think I have spotted a bug in libss7 while reading the source code, I
tried to report the suspected bug to the code maintainer by sending mail to
creslin at digium.com, but there has been no reply.
Is this a bug or not? I hope you guys will help me check it, thanks!
SVN Rev.: 269
Source file: mtp2.c
Lines: 650-651
Snippet of the buggy codes are reproduced below:
static int lssu_rx(struct mtp2 *link, struct mtp_su_head *h, int len)
{
unsigned char lssutype = lssu_type(h);
if (len > (LSSU_SIZE + 2)) /* FCS is two bytes */
mtp_error(link->master, "Received LSSU with length %d longer than
expected\n", len);
Because LSSU_SIZE is #defined to be 6, the if statement in the code above
translates to:
if (len > (6 + 2))
mtp_error(link->master, "Received LSSU with length %d longer than
expected\n", len);
but LSSU is of fixed length (6 octets), so it's a bug! The above codes will
fail to issue a warning message when an erroneous LSSU with length 7 of 8 is
received.
Regards,
Tian
More information about the asterisk-dev
mailing list