[sr-dev] git:master:964ed0a5: parser: fix overflow access when parsing Reason header stored in short buffer

Daniel-Constantin Mierla miconda at gmail.com
Wed Sep 2 13:31:42 CEST 2015 

Module: kamailio
Branch: master
Commit: 964ed0a5083413eb0a70bd8a952d5a91ee9e9883
URL: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a91ee9e9883

Author: Chris Double <chris.double at double.co.nz>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-09-02T13:15:37+02:00

parser: fix overflow access when parsing Reason header stored in short buffer

- it can happen for fixup functions from textops module having header
  name as a parameter, with critical impact when using system malloc,
  the internal pkg malloc does a roundup of the allocated space
- the issue is caused by the word (4 bytes) read step performed by
  parse_hname2() - second 4-byte read in buffer "Reason:" exceeds the
  size by 1
- added a safe read macro that reads 1, 2 or 3 bytes if the size of the
  buffer is not big enough for a 4 bytes read

---

Modified: parser/case_reas.h
Modified: parser/parse_hname2.c

---

Diff:  https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a91ee9e9883.diff
Patch: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a91ee9e9883.patch

---

diff --git a/parser/case_reas.h b/parser/case_reas.h
index e6b8d97..5df0a9d 100644
--- a/parser/case_reas.h
+++ b/parser/case_reas.h
@@ -49,7 +49,7 @@
 
 #define reas_CASE		\
 	p += 4;				\
-	val = READ(p);		\
+	val = SAFE_READ(p, end - p);	\
 	ON_CASE;			\
 	goto other;
 
diff --git a/parser/parse_hname2.c b/parser/parse_hname2.c
index 42fb865..e4188a0 100644
--- a/parser/parse_hname2.c
+++ b/parser/parse_hname2.c
@@ -95,11 +95,26 @@ static inline char* skip_ws(char* p, unsigned int size)
 
 /*@} */
 
+#define SAFE_READ(val, len) \
+((len) == 1 ? READ1(val) : ((len) == 2 ? READ2(val) : ((len) == 3 ? READ3(val) : ((len) > 3 ? READ4(val) : READ0(val)))))
+
 #define READ(val) \
-(*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16) + (*(val + 3) << 24))
+READ4(val)
+
+#define READ4(val) \
+(*((val) + 0) + (*((val) + 1) << 8) + (*((val) + 2) << 16) + (*((val) + 3) << 24))
 
 #define READ3(val) \
-(*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16))
+(*((val) + 0) + (*((val) + 1) << 8) + (*((val) + 2) << 16))
+
+#define READ2(val) \
+(*((val) + 0) + (*((val) + 1) << 8))
+
+#define READ1(val) \
+(*((val) + 0))
+
+#define READ0(val) \
+(0)
 
 #define FIRST_QUATERNIONS       \
         case _via1_: via1_CASE; \

More information about the sr-dev mailing list