[sr-dev] git:master:ca8e6540: * Fix for buffer overflow in enum_pv_query_3 for char string[17] where the boundary checks for it in is_e164 uses MAX_NUM_LEN.
Stefan Andersson
stefan.andersson at tele2.com
Wed Jun 3 11:48:33 CEST 2015
Module: kamailio
Branch: master
Commit: ca8e6540cd2cd31b63b192a5a3da282eb09b6c94
URL: https://github.com/kamailio/kamailio/commit/ca8e6540cd2cd31b63b192a5a3da282eb09b6c94
Author: Stefan Andersson <stefan.andersson at tele2.com>
Committer: Stefan Andersson <stefan.andersson at tele2.com>
Date: 2015-06-03T10:54:25+02:00
* Fix for buffer overflow in enum_pv_query_3 for char string[17] where the boundary checks for it in is_e164 uses MAX_NUM_LEN.
* Increased the size of MAX_NUM_LEN to 33 to support the maximum number length of 32, which is what we support here on our ISUP links.
Bug: The buffer overflow bug can be triggered by calling enum_pv_query with a number that is to long eg. +1234567890123456789
---
Modified: modules/enum/enum.c
Modified: modules/enum/enum.h
---
Diff: https://github.com/kamailio/kamailio/commit/ca8e6540cd2cd31b63b192a5a3da282eb09b6c94.diff
Patch: https://github.com/kamailio/kamailio/commit/ca8e6540cd2cd31b63b192a5a3da282eb09b6c94.patch
---
diff --git a/modules/enum/enum.c b/modules/enum/enum.c
index 3c21c2f..6439f54 100644
--- a/modules/enum/enum.c
+++ b/modules/enum/enum.c
@@ -34,7 +34,7 @@
* based on the user part of the current Request-URI. These functions
* assume that the Request URI user part consists of an international
* phone number of the form +decimal-digits, where the number of digits is
- * at least 2 and at most 15. Out of this number enum_query forms a domain
+ * at least 2 and at most 32. Out of this number enum_query forms a domain
* name, where the digits are in reverse order and separated by dots
* followed by domain suffix that by default is "e164.arpa.". For example,
* if the user part is +35831234567, the domain name will be
@@ -1005,7 +1005,7 @@ int enum_pv_query_3(struct sip_msg* _msg, char* _sp, char* _suffix,
struct naptr_rdata* naptr;
str pattern, replacement, result, new_result;
str *suffix, *service;
- char string[17];
+ char string[MAX_NUM_LEN];
pv_spec_t *sp;
pv_value_t pv_val;
diff --git a/modules/enum/enum.h b/modules/enum/enum.h
index 838caf6..1f1a509 100644
--- a/modules/enum/enum.h
+++ b/modules/enum/enum.h
@@ -35,7 +35,7 @@
#define MAX_DOMAIN_SIZE 256
-#define MAX_NUM_LEN 22
+#define MAX_NUM_LEN 33
#define MAX_COMPONENT_SIZE (MAX_NUM_LEN * 2) /* separator, apex, ... This simplifies checks */
More information about the sr-dev
mailing list