[kamailio/kamailio] ims_registrar_scscf: use xmlParseMemory instead of xmlParseDoc (PR #3050)
Fix issues where a non-zero terminated string would get passed to `parse_user_data`.
<!-- Kamailio Pull Request Template -->
<!-- IMPORTANT: - for detailed contributing guidelines, read: https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md - pull requests must be done to master branch, unless they are backports of fixes from master branch to a stable branch - backports to stable branches must be done with 'git cherry-pick -x ...' - code is contributed under BSD for core and main components (tm, sl, auth, tls) - code is contributed GPLv2 or a compatible license for the other components - GPL code is contributed with OpenSSL licensing exception -->
#### Pre-Submission Checklist <!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply --> <!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above--> <!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list --> - [X] Commit message has the format required by CONTRIBUTING guide - [X] Commits are split per component (core, individual modules, libs, utils, ...) - [X] Each component has a single commit (if not, squash them into one commit) - [X] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change - [X] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality)
#### Checklist: <!-- Go over all points below, and after creating the PR, tick the checkboxes that apply --> - [X] PR should be backported to stable branches - [X] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number)
#### Description <!-- Describe your changes in detail -->
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/3050
-- Commit Summary --
* ims_registrar_scscf: use xmlParseMemory instead of xmlParseDoc
-- File Changes --
M src/modules/ims_registrar_scscf/userdata_parser.c (4)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/3050.patch https://github.com/kamailio/kamailio/pull/3050.diff
@alexyosifov - any comment on this PR?
@alexyosifov - any comment on this PR?
I don't know what is fixed/changed in the code with using of xmlParseMemory instead of xmlParseDoc, but hope that is tested by @kristiyan-peychev-flolive. Maybe he can elaborate a little bit more.
The bug I encountered was quite the corner case, I'm not surprised nobody's noticed it. It's because the strings here are not zero-terminated by default, but `parse_user_data` requires a zero-terminated string by virtue of documentation. The bug I got was during diameter Cx registration termination requests with very specific XMLs being received, I managed to hit a place that was passing a string that was not zero-terminated. The end result was a failed check against the XML schema and the request being interpreted as invalid. I believe I've solved the issue fundamentally by using `xmlParseMemory` instead of `xmlParseDoc` because the latter requires a zero-terminated string, while the former works with a buffer length, which is exactly what the strings here do.
The bug I encountered was quite the corner case, I'm not surprised nobody's noticed it. It's because the strings here are not zero-terminated by default, but `parse_user_data` requires a zero-terminated string by virtue of documentation. The bug I got was during diameter Cx registration termination requests with very specific XMLs being received, I managed to hit a place that was passing a string that was not zero-terminated. The end result was a failed check against the XML schema and the request being interpreted as invalid. I believe I've solved the issue fundamentally by using `xmlParseMemory` instead of `xmlParseDoc` because the latter requires a zero-terminated string, while the former works with a buffer length, which is exactly what the strings here do.
Thanks!
Thanks!
Merged #3050 into master.
-
alexyosifov -
Daniel-Constantin Mierla
-
Kristiyan Peychev