git:master:055fca8d: topoh: add additional safety checks - sr-dev

3 Apr 2017

Module: kamailio
Branch: master
Commit: 055fca8dd2ca9c2ea683a2ea3748d6728d54e5a5
URL: https://github.com/kamailio/kamailio/commit/055fca8dd2ca9c2ea683a2ea3748d672...
Author: Claudiu Boriga paul.boriga@1and1.ro
Committer: Claudiu Boriga paul.boriga@1and1.ro
Date: 2017-04-03T15:37:31+03:00
topoh: add additional safety checks
- verify that headers contain expected prefix (including mask ip)
  before trying to unmask them; otherwise there may be issues when
  kamailio receives messages that are not masked and topoh is enabled.
---
Modified: src/modules/topoh/th_msg.c
---
Diff:  https://github.com/kamailio/kamailio/commit/055fca8dd2ca9c2ea683a2ea3748d672...
Patch: https://github.com/kamailio/kamailio/commit/055fca8dd2ca9c2ea683a2ea3748d672...
---

diff --git a/src/modules/topoh/th_msg.c b/src/modules/topoh/th_msg.c
index a320c4a..a1f117e3 100644
--- a/src/modules/topoh/th_msg.c
+++ b/src/modules/topoh/th_msg.c
@@ -390,6 +390,14 @@ int th_unmask_via(sip_msg_t *msg, str *cookie)
    		LM_DBG("body: %d: [%.*s]\n", vlen, vlen, via->name.s);
    		if(i!=1)
    		{
+				/* Skip if via is not encoded */
+				if (via->host.len!=th_ip.len
+						|| strncasecmp(via->host.s, th_ip.s, th_ip.len)!=0)
+				{
+					LM_DBG("via %d is not encoded",i);
+					continue;
+				}
+
    			vp = th_get_via_param(via, &th_vparam_name);
    			if(vp==NULL)
    			{
@@ -404,7 +412,7 @@ int th_unmask_via(sip_msg_t *msg, str *cookie)
    						&th_vparam_prefix, 0, &out.len);
    			if(out.s==NULL)
    			{
-					LM_ERR("cannot encode via %d\n", i);
+					LM_ERR("cannot decode via %d\n", i);
    				return -1;
    			}
    				
@@ -475,6 +483,14 @@ int th_unmask_callid(sip_msg_t *msg)
    	LM_ERR("cannot get Call-Id header\n");
    	return -1;
    }
+
+	/* Do nothing if call-id is not encoded */
+	if ((msg->callid->body.len<th_callid_prefix.len) ||
+			(strncasecmp(msg->callid->body.s,th_callid_prefix.s,th_callid_prefix.len)!=0))
+	{
+		LM_DBG("call-id [%.*s] not encoded",msg->callid->body.len,msg->callid->body.s);
+		return 0;
+	}
    			
    out.s = th_mask_decode(msg->callid->body.s, msg->callid->body.len,
    				&th_callid_prefix, 0, &out.len);
@@ -670,6 +686,15 @@ int th_unmask_route(sip_msg_t *msg)
    		i++;
    		if(i!=1)
    		{
+				/* Skip if route is not encoded */
+				if ((rr->nameaddr.uri.len<th_uri_prefix.len) ||
+						(strncasecmp(rr->nameaddr.uri.s,th_uri_prefix.s,th_uri_prefix.len)!=0))
+				{
+					LM_DBG("rr %d is not encoded: [%.*s]",i,rr->nameaddr.uri.len,rr->nameaddr.uri.s);
+					rr = rr->next;
+					continue;
+				}
+
    			if(th_get_uri_param_value(&rr->nameaddr.uri, &th_uparam_name,
    						&eval)<0 || eval.len<=0)
    				return -1;
@@ -710,6 +735,14 @@ int th_unmask_ruri(sip_msg_t *msg)
    struct lump* l;
    str out;
+	/* Do nothing if ruri is not encoded */
+	if ((REQ_LINE(msg).uri.len<th_uri_prefix.len) ||
+			(strncasecmp(REQ_LINE(msg).uri.s,th_uri_prefix.s,th_uri_prefix.len)!=0))
+	{
+		LM_DBG("ruri [%.*s] is not encoded",REQ_LINE(msg).uri.len,REQ_LINE(msg).uri.s);
+		return 0;
+	}
+
    if(th_get_uri_param_value(&REQ_LINE(msg).uri, &th_uparam_name, &eval)<0
    		|| eval.len<=0)
    	return -1;
@@ -763,6 +796,15 @@ int th_unmask_refer_to(sip_msg_t *msg)
    }
uri = &(get_refer_to(msg)->uri);
+
+	/* Do nothing if refer_to is not encoded */
+	if ((uri->len<th_uri_prefix.len)
+			|| (strncasecmp(uri->s, th_uri_prefix.s, th_uri_prefix.len)!=0))
+	{
+		LM_DBG("refer-to [%.*s] is not encoded",uri->len,uri->s);
+		return 0;
+	}
+
    if(th_get_uri_param_value(uri, &th_uparam_name, &eval)<0
    		|| eval.len<=0)
    	return -1;

    