From bc4a545aa050dd36c982bf102464edbc14a88753 Mon Sep 17 00:00:00 2001 From: Daniel-Constantin Mierla Date: Fri, 12 Feb 2016 18:04:19 +0100 Subject: [PATCH] seas: safety check for target buffer size before copying message in encode_msg() - avoid buffer overflow for large SIP messages - reported by Stelios Tsampas (cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643) (cherry picked from commit 18cd34781d2bdda9c19314c0494f6a655dbe6089) --- modules/seas/encode_msg.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c index 06d31a3..e56b5fb 100644 --- a/modules/seas/encode_msg.c +++ b/modules/seas/encode_msg.c @@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN) return -1; + if(parse_headers(msg,HDR_EOH_F,0)<0){ myerror="in parse_headers"; goto error; @@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) /*j+=k;*/ /*pkg_free(payload2);*/ /*now we copy the actual message after the headers-meta-section*/ + + if(len < j + msg->len + 1) { + LM_ERR("not enough space to encode sip message\n"); + return -1; + } memcpy(&payload[j],msg->buf,msg->len); LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j); j=htons(j);