[sr-dev] git:master: exec: safety check against bash vulnerability CVE-2014-6271

[Daniel-Constantin Mierla]

Module: sip-router
Branch: master
Commit: d5d57c0df931c9d60432def919c837cc76e4ce42
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d5d57c0df931c9d60432def919c837cc76e4ce42

Author: Seudin Kasumovic <seudin.kasumovic at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Thu Sep 25 16:56:28 2014 +0200

exec: safety check against bash vulnerability CVE-2014-6271

---

 modules/exec/exec_hf.c |   18 ++++++++++++++----
 1 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c
index c83550f..e0e5491 100644
--- a/modules/exec/exec_hf.c
+++ b/modules/exec/exec_hf.c
@@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset)
 	memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len;
 	memcpy(c, hname, hlen ); c+=hlen;
 	*c=EV_ASSIGN;c++;
-	memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
-	c+=w->u.hf->body.len;
+	if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+		memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+		c+=(w->u.hf->body.len-2);
+	} else {
+		memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+		c+=w->u.hf->body.len;
+	}
 	for (wi=w->next_same; wi; wi=wi->next_same) {
 		*c=HF_SEPARATOR;c++;
-		memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len );
-		c+=wi->u.hf->body.len;
+		if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+			memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+			c+=(w->u.hf->body.len-2);
+		} else {
+			memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+			c+=w->u.hf->body.len;
+		}
 	}
 	*c=0; /* zero termination */
 	LM_DBG("%s\n", envvar );