Dear all,
I think I have spotted a bug in libss7 code, I hope somebody will check it.
SVN Rev.: 266
Source file: mtp2.c
Lines: 646-652
Snippet of the buggy codes are reproduced below:
static int lssu_rx(struct mtp2 *link, struct mtp_su_head *h, int len)
{
unsigned char lssutype = lssu_type(h);
if (len > (LSSU_SIZE + 2)) /* FCS is two bytes */
mtp_error(link->master, "Received LSSU with length %d longer than expected\n", len);
*************************************Separator**********************************
Because LSSU_SIZE is #defined to be 6, the if statement in the code above translates to:
if (len > (6 + 2))
mtp_error(link->master, "Received LSSU with length %d longer than expected\n", len);
but LSSU is of fixed length (6 octets), so it's a bug! The above codes will fail to issue a warning message when an erroneous LSSU with length 7 of 8 is received.
8 7 6 5 4 3 2 1
+-----+-----+-----+-----+-----+-----+-----+-----+
1 | BIB | BSN |
+-----+-----+-----+-----+-----+-----+-----+-----+
2 | FIB | FSN |
+-----+-----+-----+-----+-----+-----+-----+-----+
3 |///spare///| LI = 1 or 2 |
|-----+-----+-----+-----+-----+-----+-----+-----+
4 |////////////spare////////////| LSI |
+-----+-----+-----+-----+-----+-----+-----+-----+
5 | |
+--- CK --+
6 | |
+-----+-----+-----+-----+-----+-----+-----+-----+
format of an LSSU
Regards!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-ss7/attachments/20090707/093aadb3/attachment.htm
|