[sr-dev] git:4.3:18cd3478: seas: safety check for target buffer size before copying message in encode_msg()

Daniel-Constantin Mierla miconda at gmail.com
Fri Feb 12 18:07:19 CET 2016


Module: kamailio
Branch: 4.3
Commit: 18cd34781d2bdda9c19314c0494f6a655dbe6089
URL: https://github.com/kamailio/kamailio/commit/18cd34781d2bdda9c19314c0494f6a655dbe6089

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2016-02-12T18:06:57+01:00

seas: safety check for target buffer size before copying message in encode_msg()

- avoid buffer overflow for large SIP messages
- reported by Stelios Tsampas

(cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643)

---

Modified: modules/seas/encode_msg.c

---

Diff:  https://github.com/kamailio/kamailio/commit/18cd34781d2bdda9c19314c0494f6a655dbe6089.diff
Patch: https://github.com/kamailio/kamailio/commit/18cd34781d2bdda9c19314c0494f6a655dbe6089.patch

---

diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c
index 06d31a3..e56b5fb 100644
--- a/modules/seas/encode_msg.c
+++ b/modules/seas/encode_msg.c
@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
 
    if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
       return -1;
+
    if(parse_headers(msg,HDR_EOH_F,0)<0){
       myerror="in parse_headers";
       goto error;
@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
    /*j+=k;*/
    /*pkg_free(payload2);*/
    /*now we copy the actual message after the headers-meta-section*/
+
+	if(len < j + msg->len + 1) {
+   	   LM_ERR("not enough space to encode sip message\n");
+   	   return -1;
+	}
    memcpy(&payload[j],msg->buf,msg->len);
    LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
    j=htons(j);




More information about the sr-dev mailing list