[sr-dev] git:4.0: modules/ims_isc: several safety checks

[Camille Oudot]

Module: sip-router
Branch: 4.0
Commit: 56ba8ea8b1f1f26ccc36dfb073e1559eca4d77b1
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=56ba8ea8b1f1f26ccc36dfb073e1559eca4d77b1

Author: Camille Oudot <camille.oudot at orange.com>
Committer: Camille Oudot <camille.oudot at orange.com>
Date:   Tue Jun 11 16:34:49 2013 +0200

modules/ims_isc: several safety checks

- fixed potential buffer overflow
- fixed potential crash if regcomp fails

---

 modules/ims_isc/checker.c |   21 +++++++++++++++++++--
 1 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/modules/ims_isc/checker.c b/modules/ims_isc/checker.c
index fd44f06..31921a4 100644
--- a/modules/ims_isc/checker.c
+++ b/modules/ims_isc/checker.c
@@ -57,15 +57,32 @@ static int isc_check_headers(ims_spt *spt, struct hdr_field *headers) {
 	char buf[256];
 	regex_t header_comp, content_comp;
 	i = headers;
+
+    if (spt->sip_header.header.len >= sizeof(buf)) {
+        LM_ERR("Header name \"%.*s\" is to long to be processed (max %d bytes)\n", spt->sip_header.header.len, spt->sip_header.header.s, (int) (sizeof(buf) - 1));
+        return FALSE;
+    }
+    if (spt->sip_header.content.len >= sizeof(buf)) {
+        LM_ERR("Header content \"%.*s\" is to long to be processed (max %d bytes)\n", spt->sip_header.content.len, spt->sip_header.content.s, (int) (sizeof(buf) - 1));
+        return FALSE;
+    }
+
 	/* compile the regex for header name */
 	memcpy(buf, spt->sip_header.header.s, spt->sip_header.header.len);
 	buf[spt->sip_header.header.len] = 0;
-	regcomp(&(header_comp), buf, REG_ICASE | REG_EXTENDED);
+	if (regcomp(&(header_comp), buf, REG_ICASE | REG_EXTENDED) != 0) {
+	    LM_ERR("Error compiling the following regexp for header name: %.*s\n", spt->sip_header.header.len, spt->sip_header.header.s);
+	    return FALSE;
+	}
 
 	/* compile the regex for content */
 	memcpy(buf, spt->sip_header.content.s, spt->sip_header.content.len);
 	buf[spt->sip_header.content.len] = 0;
-	regcomp(&(content_comp), buf, REG_ICASE | REG_EXTENDED);
+	if(regcomp(&(content_comp), buf, REG_ICASE | REG_EXTENDED) != 0) {
+	    LM_ERR("Error compiling the following regexp for header content: %.*s\n", spt->sip_header.content.len, spt->sip_header.content.s);
+	    regfree(&(header_comp));
+	    return FALSE;
+	}
 
 	LM_DBG("isc_check_headers: Looking for Header[%.*s(%d)] %.*s \n",
 			spt->sip_header.header.len, spt->sip_header.header.s, spt->sip_header.type, spt->sip_header.content.len, spt->sip_header.content.s);