Hi, There is a buffer overflow in pjsip_method_init_np() calling pj_memcmp(). If the length of the string method_names[i] is shorter than str->slen then pj_memcmp() is comparing past the end of the method_names[i]->ptr buffer. The log claims the pj_memcmp() call is a performance "improvement" but I don't don't see how this can make any meaningful difference here. Kal

Hi Kal, I believe the original intention was to optimize by checking whether the two strings have the same buffer and length, so it should be: pj_memcmp(str, method_names[i], sizeof(pj_str_t)) That's what I committed in r5451 (https://trac.pjsip.org/repos/changeset/5451). Thanks for the report. Regards, Ming On Fri, Oct 7, 2016 at 5:18 AM, b17 c0de <b17c0de@gmail.com> wrote: > Hi, > There is a buffer overflow in pjsip_method_init_np() calling > pj_memcmp(). If the length of the string method_names[i] is shorter > than str->slen then pj_memcmp() is comparing past the end of the > method_names[i]->ptr buffer. The log claims the pj_memcmp() call is a > performance "improvement" but I don't don't see how this can make any > meaningful difference here. > > Kal > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org >