[sr-dev] git:master: core: safety check for content-lenght size in tcp read
Daniel-Constantin Mierla
miconda at gmail.com
Fri Apr 12 00:52:47 CEST 2013
Module: sip-router
Branch: master
Commit: 3c54420914c011bdd874a97c4c40ee9dacb59788
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3c54420914c011bdd874a97c4c40ee9dacb59788
Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: Fri Apr 12 00:50:24 2013 +0200
core: safety check for content-lenght size in tcp read
- avoid getting negative
- upon a report by Kevin Wojtysiak
---
tcp_read.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/tcp_read.c b/tcp_read.c
index 53f4a7a..37b577f 100644
--- a/tcp_read.c
+++ b/tcp_read.c
@@ -797,11 +797,25 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
case '\r':
case ' ':
case '\t': /* FIXME: check if line contains only WS */
+ if(r->content_len<0) {
+ LOG(L_ERR, "bad Content-Length header value %d in"
+ " state %d\n", r->content_len, r->state);
+ r->content_len=0;
+ r->error=TCP_REQ_BAD_LEN;
+ r->state=H_SKIP; /* skip now */
+ }
r->state=H_SKIP;
r->flags|=F_TCP_REQ_HAS_CLEN;
break;
case '\n':
/* end of line, parse successful */
+ if(r->content_len<0) {
+ LOG(L_ERR, "bad Content-Length header value %d in"
+ " state %d\n", r->content_len, r->state);
+ r->content_len=0;
+ r->error=TCP_REQ_BAD_LEN;
+ r->state=H_SKIP; /* skip now */
+ }
r->state=H_LF;
r->flags|=F_TCP_REQ_HAS_CLEN;
break;
More information about the sr-dev
mailing list