[asterisk-dev] A bug in libss7!

[John Todd]

On Jul 16, 2009, at 12:36 AM, tian wrote:

> Hi, guys!
>
> I think I have spotted a bug in libss7 while reading the source  
> code, I
> tried to report the suspected bug to the code maintainer by sending  
> mail to
> creslin at digium.com, but there has been no reply.
>
> Is this a bug or not? I hope you guys will help me check it, thanks!
>
> SVN Rev.: 269
> Source file: mtp2.c
> Lines: 650-651
> Snippet of the buggy codes are reproduced below:
>
> static int lssu_rx(struct mtp2 *link, struct mtp_su_head *h, int len)
> {
> unsigned char lssutype = lssu_type(h);
>
> if (len > (LSSU_SIZE + 2))  /* FCS is two bytes */
>  mtp_error(link->master, "Received LSSU with length %d longer than
> expected\n", len);
>
>
> Because LSSU_SIZE is #defined to be 6, the if statement in the code  
> above
> translates to:
>
> if (len > (6 + 2))
>    mtp_error(link->master, "Received LSSU with length %d longer than
> expected\n", len);
>
> but LSSU is of fixed length (6 octets), so it's a bug! The above  
> codes will
> fail to issue a warning message when an erroneous LSSU with length 7  
> of 8 is
> received.
>
>
> Regards,
>
> Tian



Tian -
   Thanks for looking through the code!  Often, writing to authors  
does not get a quick reply (or a reply at all) because of other work  
they're doing on other projects, or they simply don't have the time to  
work on that section of development.  However, that does not mean  
nobody else is looking at it!  Please open a ticket on  
issues.asterisk.org so that others may participate in the discussion  
of this problem, and so that there is permanent tracking that can be  
viewed and accessed by everyone on the project.

JT

---
John Todd                       email:jtodd at digium.com
Digium, Inc. | Asterisk Open Source Community Director
445 Jan Davis Drive NW -  Huntsville AL 35806  -   USA
direct: +1-256-428-6083         http://www.digium.com/