[sr-dev] git:4.0: core: safety check for content-lenght size in tcp read

13 Apr 2013

Module: sip-router
Branch: 4.0
Commit: a49467e98dc721a1e4dbd9ba547d72aa38018883
URL:   
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a49467e…

Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt;
Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt;
Date:   Fri Apr 12 00:50:24 2013 +0200

core: safety check for content-lenght size in tcp read

- avoid getting negative
- upon a report by Kevin Wojtysiak
(cherry picked from commit 3c54420914c011bdd874a97c4c40ee9dacb59788)

---

 tcp_read.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/tcp_read.c b/tcp_read.c
index b969e6c..618e05a 100644
--- a/tcp_read.c
+++ b/tcp_read.c
@@ -805,11 +805,25 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
 					case '\r':
 					case ' ':
 					case '\t': /* FIXME: check if line contains only WS */
+						if(r->content_len<0) {
+							LOG(L_ERR, "bad Content-Length header value %d in"
+									" state %d\n", r->content_len, r->state);
+							r->content_len=0;
+							r->error=TCP_REQ_BAD_LEN;
+							r->state=H_SKIP; /* skip now */
+						}
 						r->state=H_SKIP;
 						r->flags|=F_TCP_REQ_HAS_CLEN;
 						break;
 					case '\n':
 						/* end of line, parse successful */
+						if(r->content_len<0) {
+							LOG(L_ERR, "bad Content-Length header value %d in"
+									" state %d\n", r->content_len, r->state);
+							r->content_len=0;
+							r->error=TCP_REQ_BAD_LEN;
+							r->state=H_SKIP; /* skip now */
+						}
 						r->state=H_LF;
 						r->flags|=F_TCP_REQ_HAS_CLEN;
 						break;



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] git:4.0: core: safety check for content-lenght size in tcp read