main/kamailio/0003-mtree-fixes.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

commit 0e18bd70aa702e01ce1618d4d09e87fd2d120b38
Author: Daniel-Constantin Mierla <miconda@gmail.com>
Date:   Thu Mar 2 22:16:25 2017 +0100

    mtree: safety checks for range within the chars table
    
    (cherry picked from commit 980c861e39b1fb27de8d7c10390566e516e37fcc)
    (cherry picked from commit a5aab2ad5dad7d4c7c06cfc4f99703ab59586505)

diff --git a/modules/mtree/mtree.c b/modules/mtree/mtree.c
index 6b6283ded..8c7b84ed8 100644
--- a/modules/mtree/mtree.c
+++ b/modules/mtree/mtree.c
@@ -52,7 +52,9 @@ extern int _mt_allow_duplicates;
 static m_tree_t **_ptree = NULL; 
 
 /* quick transaltion table */
-unsigned char _mt_char_table[256];
+#define MT_CHAR_TABLE_SIZE	256
+#define MT_CHAR_TABLE_NOTSET 255
+unsigned char _mt_char_table[MT_CHAR_TABLE_SIZE];
 
 /**
  *
@@ -60,10 +62,17 @@ unsigned char _mt_char_table[256];
 void mt_char_table_init(void)
 {
 	unsigned int i;
-	for(i=0; i<=255; i++)
-		_mt_char_table[i] = 255;
-	for(i=0; i<mt_char_list.len; i++)
+	for(i=0; i<=MT_CHAR_TABLE_SIZE; i++) {
+		_mt_char_table[i] = MT_CHAR_TABLE_NOTSET;
+	}
+	for(i=0; i<mt_char_list.len; i++) {
+		if((unsigned int)mt_char_list.s[i]>=MT_CHAR_TABLE_SIZE) {
+			LM_ERR("char at position %u in [%.*s] is out of range - skipping\n",
+					i, mt_char_list.len, mt_char_list.s);
+			continue;
+		}
 		_mt_char_table[(unsigned int)mt_char_list.s[i]] = (unsigned char)i;
+	}
 }
 
 
@@ -182,7 +191,12 @@ int mt_add_to_tree(m_tree_t *pt, str *sp, str *svalue)
 	}
 
 	itn0 = pt->head;
-	if(_mt_char_table[(unsigned int)sp->s[l]]==255)
+	if((unsigned int)sp->s[l]>=MT_CHAR_TABLE_SIZE) {
+		LM_ERR("invalid range for char %d in prefix [%c (0x%x)]\n",
+				l, sp->s[l], sp->s[l]);
+		return -1;
+	}
+	if(_mt_char_table[(unsigned int)sp->s[l]]==MT_CHAR_TABLE_NOTSET)
 	{
 		LM_ERR("invalid char %d in prefix [%c (0x%x)]\n",
 				l, sp->s[l], sp->s[l]);
@@ -206,7 +220,13 @@ int mt_add_to_tree(m_tree_t *pt, str *sp, str *svalue)
 			itn0[_mt_char_table[(unsigned int)sp->s[l]]].child = itn;
 		}
 		l++;	
-		if(_mt_char_table[(unsigned int)sp->s[l]]==255)
+
+		if((unsigned int)sp->s[l]>=MT_CHAR_TABLE_SIZE) {
+			LM_ERR("invalid range for char %d in prefix [%c (0x%x)]\n",
+					l, sp->s[l], sp->s[l]);
+			return -1;
+		}
+		if(_mt_char_table[(unsigned int)sp->s[l]]==MT_CHAR_TABLE_NOTSET)
 		{
 			LM_ERR("invalid char %d in prefix [%c (0x%x)]\n",
 					l, sp->s[l], sp->s[l]);
@@ -312,8 +332,14 @@ is_t* mt_get_tvalue(m_tree_t *pt, str *tomatch, int *len)
 
 	while(itn!=NULL && l < tomatch->len && l < MT_MAX_DEPTH)
 	{
+		/* check range */
+		if((unsigned int)tomatch->s[l]>=MT_CHAR_TABLE_SIZE) {
+			LM_DBG("out of range char at %d in [%.*s]\n",
+					l, tomatch->len, tomatch->s);
+			return NULL;
+		}
 		/* check validity */
-		if(_mt_char_table[(unsigned int)tomatch->s[l]]==255)
+		if(_mt_char_table[(unsigned int)tomatch->s[l]]==MT_CHAR_TABLE_NOTSET)
 		{
 			LM_DBG("not matching char at %d in [%.*s]\n",
 					l, tomatch->len, tomatch->s);
@@ -359,8 +385,14 @@ int mt_add_tvalues(struct sip_msg *msg, m_tree_t *pt, str *tomatch)
 	itn = pt->head;
 
 	while (itn != NULL && l < tomatch->len && l < MT_MAX_DEPTH) {
+		/* check range */
+		if((unsigned int)tomatch->s[l]>=MT_CHAR_TABLE_SIZE) {
+			LM_DBG("out of range char at %d in [%.*s]\n",
+					l, tomatch->len, tomatch->s);
+			return -1;
+		}
 		/* check validity */
-		if(_mt_char_table[(unsigned int)tomatch->s[l]]==255) {
+		if(_mt_char_table[(unsigned int)tomatch->s[l]]==MT_CHAR_TABLE_NOTSET) {
 			LM_ERR("invalid char at %d in [%.*s]\n",
 					l, tomatch->len, tomatch->s);
 			return -1;
@@ -468,8 +500,14 @@ int mt_match_prefix(struct sip_msg *msg, m_tree_t *it,
 
 	while(itn!=NULL && l < tomatch->len && l < MT_MAX_DEPTH)
 	{
+		/* check range */
+		if((unsigned int)tomatch->s[l]>=MT_CHAR_TABLE_SIZE) {
+			LM_DBG("out of range char at %d in [%.*s]\n",
+					l, tomatch->len, tomatch->s);
+			return -1;
+		}
 		/* check validity */
-		if(_mt_char_table[(unsigned int)tomatch->s[l]]==255)
+		if(_mt_char_table[(unsigned int)tomatch->s[l]]==MT_CHAR_TABLE_NOTSET)
 		{
 			LM_ERR("invalid char at %d in [%.*s]\n",
 					l, tomatch->len, tomatch->s);
@@ -1104,8 +1142,14 @@ int mt_rpc_add_tvalues(rpc_t* rpc, void* ctx, m_tree_t *pt, str *tomatch)
 	itn = pt->head;
 
 	while (itn != NULL && l < tomatch->len && l < MT_MAX_DEPTH) {
+		/* check range */
+		if((unsigned int)tomatch->s[l]>=MT_CHAR_TABLE_SIZE) {
+			LM_DBG("out of range char at %d in [%.*s]\n",
+					l, tomatch->len, tomatch->s);
+			return -1;
+		}
 		/* check validity */
-		if(_mt_char_table[(unsigned int)tomatch->s[l]]==255) {
+		if(_mt_char_table[(unsigned int)tomatch->s[l]]==MT_CHAR_TABLE_NOTSET) {
 			LM_ERR("invalid char at %d in [%.*s]\n",
 					l, tomatch->len, tomatch->s);
 			return -1;
@@ -1214,8 +1258,14 @@ int mt_rpc_match_prefix(rpc_t* rpc, void* ctx, m_tree_t *it,
 
 	while(itn!=NULL && l < tomatch->len && l < MT_MAX_DEPTH)
 	{
+		/* check range */
+		if((unsigned int)tomatch->s[l]>=MT_CHAR_TABLE_SIZE) {
+			LM_DBG("out of range char at %d in [%.*s]\n",
+					l, tomatch->len, tomatch->s);
+			return -1;
+		}
 		/* check validity */
-		if(_mt_char_table[(unsigned int)tomatch->s[l]]==255)
+		if(_mt_char_table[(unsigned int)tomatch->s[l]]==MT_CHAR_TABLE_NOTSET)
 		{
 			LM_ERR("invalid char at %d in [%.*s]\n",
 					l, tomatch->len, tomatch->s);

commit 006c0232ba25897df795c4b4c21820d00e01588a (HEAD -> 4.2)
Author: Daniel-Constantin Mierla <miconda@gmail.com>
Date:   Fri Jun 16 11:49:28 2017 +0200

    mtree: avoid char array access over the size
    
    (cherry picked from commit 24718a4f0a7579abf9f32967cce2b86e5973cc6d)
    (cherry picked from commit 2d1dc7cfcde0410e44a8d53849c319c9d234a7b3)

diff --git a/modules/mtree/mtree.c b/modules/mtree/mtree.c
index 8c7b84ed8..6aa079f6f 100644
--- a/modules/mtree/mtree.c
+++ b/modules/mtree/mtree.c
@@ -62,7 +62,7 @@ unsigned char _mt_char_table[MT_CHAR_TABLE_SIZE];
 void mt_char_table_init(void)
 {
 	unsigned int i;
-	for(i=0; i<=MT_CHAR_TABLE_SIZE; i++) {
+	for(i=0; i<MT_CHAR_TABLE_SIZE; i++) {
 		_mt_char_table[i] = MT_CHAR_TABLE_NOTSET;
 	}
 	for(i=0; i<mt_char_list.len; i++) {