[OpenSER-Devel] [ openser-Bugs-1873335 ] Possible buffer overflow in get_all_db_ucontacts

[SourceForge.net]

Bugs item #1873335, was opened at 2008-01-16 16:15
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1873335&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Matt Reilly (sipphonematt)
Assigned to: Nobody/Anonymous (nobody)
Summary: Possible buffer overflow in get_all_db_ucontacts

Initial Comment:
The get_all_db_ucontacts() function in modules/usrloc/dlist.c has a possible buffer overflow when adding the path column to the results.

The function is passed a buffer "buf" (which is copied into the variable "cp").

The size of this buffer is checked before adding the contact, socket and dbflags:

   needed = (int)(sizeof(p_len)+p_len+sizeof(sock)+sizeof(dbflags));
   if (len < needed) {
      shortage += needed ;
       continue;
   }

However, the size of the path is never checked before adding this to the buffer:

   /* path */
   p = (char*)VAL_STRING(ROW_VALUES(row)+4);
   if (VAL_NULL(ROW_VALUES(row)+4) || p==0 || p[0]==0){
        p = NULL;
        p_len = 0;
   } else {
        p_len = strlen(p);
   }

   /* write path */
   memcpy(cp, &p_len, sizeof(p_len));
   cp = (char*)cp + sizeof(p_len);
   memcpy(cp, p, p_len);
   cp = (char*)cp + p_len;


Not only is the buffer not check that it can hold the path, the length that's added is not subtracted from "len". i.e. there is no "len -= sizeof(p_len) + p_len;" 

To solve, "needed" should also add the space used by the path data.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1873335&group_id=139143