[sr-dev] git:master:2ebcb840: utils: Fix buffer overflow; do not NULL-terminate HTTP result

Carsten Bock carsten at ng-voice.com
Fri Aug 28 12:11:36 CEST 2015 

Module: kamailio
Branch: master
Commit: 2ebcb840b189d9a992923cdd32d80764987a5923
URL: https://github.com/kamailio/kamailio/commit/2ebcb840b189d9a992923cdd32d80764987a5923

Author: Carsten Bock <carsten at ng-voice.com>
Committer: Carsten Bock <carsten at ng-voice.com>
Date: 2015-08-28T12:11:25+02:00

utils: Fix buffer overflow; do not NULL-terminate HTTP result

Fix buffer overflow in the `write_function` that takes the resulting
data from libcurl. The function was trying to NULL terminate the
string, but this could result in overwriting the buffer by one byte
when size*nmemb == 1.
This also caused some memory corruptions, reported on sr-dev.

Reported by: Travis Cross <tc at traviscross.com>

---

Modified: modules/utils/functions.c

---

Diff:  https://github.com/kamailio/kamailio/commit/2ebcb840b189d9a992923cdd32d80764987a5923.diff
Patch: https://github.com/kamailio/kamailio/commit/2ebcb840b189d9a992923cdd32d80764987a5923.patch

---

diff --git a/modules/utils/functions.c b/modules/utils/functions.c
index 2d06403..e049056 100644
--- a/modules/utils/functions.c
+++ b/modules/utils/functions.c
@@ -2,7 +2,7 @@
  * script functions of utils module
  *
  * Copyright (C) 2008 Juha Heinanen
- * Copyright (C) 2013 Carsten Bock, ng-voice GmbH
+ * Copyright (C) 2013-2015 Carsten Bock, ng-voice GmbH
  *
  * This file is part of Kamailio, a free SIP server.
  *
@@ -55,7 +55,7 @@ size_t write_function( void *ptr, size_t size, size_t nmemb, void *stream_ptr)
 	http_res_stream_t *stream = (http_res_stream_t *) stream_ptr;
 
 	stream->buf = (char *) pkg_realloc(stream->buf, stream->curr_size + 
-			(size * nmemb) + 1);
+			(size * nmemb));
 
 	if (stream->buf == NULL) {
 		LM_ERR("cannot allocate memory for stream\n");
@@ -64,15 +64,12 @@ size_t write_function( void *ptr, size_t size, size_t nmemb, void *stream_ptr)
 
 	memcpy(&stream->buf[stream->pos], (char *) ptr, (size * nmemb));
 
-	stream->curr_size += ((size * nmemb) + 1);
+	stream->curr_size += (size * nmemb);
 	stream->pos += (size * nmemb);
 
-	stream->buf[stream->pos + 1] = '\0';
-
 	return size * nmemb;
 }
 
-
 /* 
  * Performs http_query and saves possible result (first body line of reply)
  * to pvar.

More information about the sr-dev mailing list