severity 479039 grave thanks Hi Steffen, * Steffen Joeris <[EMAIL PROTECTED]> [2008-05-02 14:46]: [...] > The following CVE(0) has been issued against sip-tester. > > Please check, if it applies to the debian version.
It applies to the debian version:
482 uint16_t get_remote_video_port_media(char *msg)
483 {
484 char pattern[] = "m=video ";
485 char *begin, *end;
486 char number[5];
487 begin = strstr(msg, pattern);
488 if (!begin) {
489 /* m=video not found */
490 return 0;
491 }
492 begin += sizeof("m=video ") - 1;
493 end = strstr(begin, "\r\n");
494 if (!end)
495 ERROR("get_remote_video_port_media: no CRLF found");
496 memset(number, 0, 5);
497 strncpy(number, begin, end - begin);
498 return atoi(number);
499 }
Looking at the code it is possible to cause a buffer overflow of number
by specifying a number to m=video that is larger than sizeof(number) bytes
because then end - begin will be > sizeof(number) and thus the strncpy call
int line 497 will overflow the number buffer. Or in other words, strncpy is
useless if used like this.
Adjusting severity.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpXpRAdh2zto.pgp
Description: PGP signature
