Module: kamailio
Branch: master
Commit: 39fee94eb6fd6c0c52e2f88776bfd2ca61825300
URL:
https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2c…
Author: jaybeepee <jason.penton(a)gmail.com>
Committer: jaybeepee <jason.penton(a)gmail.com>
Date: 2016-10-03T15:50:34+02:00
modules/ims_registrar_scscf: prevent possible segfault on contact param with no name
---
Modified: modules/ims_registrar_scscf/reply.c
---
Diff:
https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2c…
Patch:
https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2c…
---
diff --git a/modules/ims_registrar_scscf/reply.c b/modules/ims_registrar_scscf/reply.c
index c52334f..d86887f 100644
--- a/modules/ims_registrar_scscf/reply.c
+++ b/modules/ims_registrar_scscf/reply.c
@@ -115,19 +115,21 @@ static inline unsigned int calc_buf_len(impurecord_t* impurec) {
}
tmp = c->params;
while (tmp) {
- if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r')
&& tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived",
7)) {
- tmp = tmp->next;
- continue;
- }
- if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q')
&& tmp->name.len == 1) {
- tmp = tmp->next;
- continue;
- }
- if ((tmp->name.s[0] == 'E' || tmp->name.s[0] ==
'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1,
"xpires", 6)) {
- tmp = tmp->next;
- continue;
- }
- len += tmp->name.len;
+ if (tmp->name.len > 0 && tmp->name.s) {
+ if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') &&
tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) {
+ tmp = tmp->next;
+ continue;
+ }
+ if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') &&
tmp->name.len == 1) {
+ tmp = tmp->next;
+ continue;
+ }
+ if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e')
&& tmp->name.len == 7 && !memcmp(tmp->name.s + 1,
"xpires", 6)) {
+ tmp = tmp->next;
+ continue;
+ }
+ len += tmp->name.len + 1 /*separator ; */;
+ }
if (tmp->body.len > 0) {
len = len + 1/*=*/ + 2/*2 x "*/;
len += tmp->body.len;
@@ -437,6 +439,7 @@ int build_contact(impurecord_t* impurec, contact_for_header_t**
contact_header)
tmp_contact_header->data_len = calc_buf_len(impurec);
tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len);
+ memset(tmp_contact_header->buf, 0, tmp_contact_header->data_len);
if (tmp_contact_header->data_len) {
p = tmp_contact_header->buf;
@@ -496,21 +499,24 @@ int build_contact(impurecord_t* impurec, contact_for_header_t**
contact_header)
/* put in the rest of the params except Q and received */
tmp = c->params;
while (tmp) {
- if ((tmp->name.s[0] == 'R' ||
tmp->name.s[0]=='r') && tmp->name.len == 8 &&
!memcmp(tmp->name.s+1, "eceived", 7)) {
- tmp = tmp->next;
- continue;
- }
- if ((tmp->name.s[0] == 'Q' ||
tmp->name.s[0]=='q') && tmp->name.len == 1) {
- tmp = tmp->next;
- continue;
- }
- if ((tmp->name.s[0] == 'E' ||
tmp->name.s[0]=='e') && tmp->name.len == 7 &&
!memcmp(tmp->name.s+1, "xpires", 6)) {
- tmp = tmp->next;
- continue;
- }
- *p++ = ';';
- memcpy(p, tmp->name.s, tmp->name.len);
- p += tmp->name.len;
+ if (tmp->name.len>0 && tmp->name.s) {
+ if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') &&
tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) {
+ tmp = tmp->next;
+ continue;
+ }
+ if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') &&
tmp->name.len == 1) {
+ tmp = tmp->next;
+ continue;
+ }
+ if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') &&
tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) {
+ tmp = tmp->next;
+ continue;
+ }
+ *p++ = ';';
+ memcpy(p, tmp->name.s, tmp->name.len);
+ p += tmp->name.len;
+ }
+
if (tmp->body.len > 0) {
*p++ = '=';
*p++ = '\"';