git:4.3:18cd3478: seas: safety check for target buffer size before copying message in encode_msg() - sr-dev

12 Feb 2016

Module: kamailio
Branch: 4.3
Commit: 18cd34781d2bdda9c19314c0494f6a655dbe6089
URL: https://github.com/kamailio/kamailio/commit/18cd34781d2bdda9c19314c0494f6a65...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2016-02-12T18:06:57+01:00
seas: safety check for target buffer size before copying message in encode_msg()
- avoid buffer overflow for large SIP messages
- reported by Stelios Tsampas
(cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643)
---
Modified: modules/seas/encode_msg.c
---
Diff:  https://github.com/kamailio/kamailio/commit/18cd34781d2bdda9c19314c0494f6a65...
Patch: https://github.com/kamailio/kamailio/commit/18cd34781d2bdda9c19314c0494f6a65...
---

diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c
index 06d31a3..e56b5fb 100644
--- a/modules/seas/encode_msg.c
+++ b/modules/seas/encode_msg.c
@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
       return -1;
+
    if(parse_headers(msg,HDR_EOH_F,0)<0){
       myerror="in parse_headers";
       goto error;
@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
    /*j+=k;*/
    /*pkg_free(payload2);*/
    /*now we copy the actual message after the headers-meta-section*/
+
+	if(len < j + msg->len + 1) {
+   	   LM_ERR("not enough space to encode sip message\n");
+   	   return -1;
+	}
    memcpy(&payload[j],msg->buf,msg->len);
    LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
    j=htons(j);

    