Module: kamailio Branch: master Commit: 39fee94eb6fd6c0c52e2f88776bfd2ca61825300 URL: https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2c… Author: jaybeepee <jason.penton(a)gmail.com> Committer: jaybeepee <jason.penton(a)gmail.com> Date: 2016-10-03T15:50:34+02:00 modules/ims_registrar_scscf: prevent possible segfault on contact param with no name --- Modified: modules/ims_registrar_scscf/reply.c --- Diff: https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2c… Patch: https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2c… --- diff --git a/modules/ims_registrar_scscf/reply.c b/modules/ims_registrar_scscf/reply.c index c52334f..d86887f 100644 --- a/modules/ims_registrar_scscf/reply.c +++ b/modules/ims_registrar_scscf/reply.c @@ -115,19 +115,21 @@ static inline unsigned int calc_buf_len(impurecord_t* impurec) { } tmp = c->params; while (tmp) { - if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1, "xpires", 6)) { - tmp = tmp->next; - continue; - } - len += tmp->name.len; + if (tmp->name.len > 0 && tmp->name.s) { + if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1, "xpires", 6)) { + tmp = tmp->next; + continue; + } + len += tmp->name.len + 1 /*separator ; */; + } if (tmp->body.len > 0) { len = len + 1/*=*/ + 2/*2 x "*/; len += tmp->body.len; @@ -437,6 +439,7 @@ int build_contact(impurecord_t* impurec, contact_for_header_t** contact_header) tmp_contact_header->data_len = calc_buf_len(impurec); tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len); + memset(tmp_contact_header->buf, 0, tmp_contact_header->data_len); if (tmp_contact_header->data_len) { p = tmp_contact_header->buf; @@ -496,21 +499,24 @@ int build_contact(impurecord_t* impurec, contact_for_header_t** contact_header) /* put in the rest of the params except Q and received */ tmp = c->params; while (tmp) { - if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') && tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) { - tmp = tmp->next; - continue; - } - *p++ = ';'; - memcpy(p, tmp->name.s, tmp->name.len); - p += tmp->name.len; + if (tmp->name.len>0 && tmp->name.s) { + if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') && tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) { + tmp = tmp->next; + continue; + } + *p++ = ';'; + memcpy(p, tmp->name.s, tmp->name.len); + p += tmp->name.len; + } + if (tmp->body.len > 0) { *p++ = '='; *p++ = '\"';