1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From bc4a545aa050dd36c982bf102464edbc14a88753 Mon Sep 17 00:00:00 2001
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Fri, 12 Feb 2016 18:04:19 +0100
Subject: [PATCH] seas: safety check for target buffer size before copying
message in encode_msg()
- avoid buffer overflow for large SIP messages
- reported by Stelios Tsampas
(cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643)
(cherry picked from commit 18cd34781d2bdda9c19314c0494f6a655dbe6089)
---
modules/seas/encode_msg.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c
index 06d31a3..e56b5fb 100644
--- a/modules/seas/encode_msg.c
+++ b/modules/seas/encode_msg.c
@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
return -1;
+
if(parse_headers(msg,HDR_EOH_F,0)<0){
myerror="in parse_headers";
goto error;
@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
/*j+=k;*/
/*pkg_free(payload2);*/
/*now we copy the actual message after the headers-meta-section*/
+
+ if(len < j + msg->len + 1) {
+ LM_ERR("not enough space to encode sip message\n");
+ return -1;
+ }
memcpy(&payload[j],msg->buf,msg->len);
LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
j=htons(j);
|
