[sr-dev] git:master:5a0e1c96: permissions: safety check of src len before copying to dst buffer

Mon Nov 7 09:56:07 CET 2016

Module: kamailio
Branch: master
Commit: 5a0e1c96bb7b315d9f9be05db402e63390e2eaaf
URL: https://github.com/kamailio/kamailio/commit/5a0e1c96bb7b315d9f9be05db402e63390e2eaaf

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2016-11-06T17:08:00+01:00

permissions: safety check of src len before copying to dst buffer

---

Modified: modules/permissions/parse_config.c
Modified: modules/permissions/rule.c

---

Diff:  https://github.com/kamailio/kamailio/commit/5a0e1c96bb7b315d9f9be05db402e63390e2eaaf.diff
Patch: https://github.com/kamailio/kamailio/commit/5a0e1c96bb7b315d9f9be05db402e63390e2eaaf.patch

---

diff --git a/modules/permissions/parse_config.c b/modules/permissions/parse_config.c
index a96ed30..df33123 100644
--- a/modules/permissions/parse_config.c
+++ b/modules/permissions/parse_config.c
@@ -102,18 +102,23 @@ static int parse_expression_list(char *str, expression **e)
  * return 0 on success, -1 on error
  * parsed expressions are returned in **e, and exceptions are returned in **e_exceptions
  */
-static int parse_expression(char *str, expression **e, expression **e_exceptions)
+static int parse_expression(char *sv, expression **e, expression **e_exceptions)
 {
 	char *except, str2[LINE_LENGTH+1];
 	int  i,j;
 
-	if (!str || !e || !e_exceptions) return -1;
+	if (!sv || !e || !e_exceptions) return -1;
 
-	except = strstr(str, " EXCEPT ");
+	if(strlen(sv)>=LINE_LENGTH) {
+		LM_ERR("expression string is too long (%s)\n", sv);
+		return -1;
+	}
+
+	except = strstr(sv, " EXCEPT ");
 	if (except) {
 		/* exception found */
-		strncpy(str2, str, except-str);
-		str2[except-str] = '\0';
+		strncpy(str2, sv, except-sv);
+		str2[except-sv] = '\0';
 		/* except+8 points to the exception */
 		if (parse_expression_list(except+8, e_exceptions)) {
 			/* error */
@@ -122,7 +127,7 @@ static int parse_expression(char *str, expression **e, expression **e_exceptions
 		}
 	} else {
 		/* no exception */
-		strcpy(str2, str);
+		strcpy(str2, sv);
 		*e_exceptions = NULL;
 	}
 
diff --git a/modules/permissions/rule.c b/modules/permissions/rule.c
index 093911a..cd38a30 100644
--- a/modules/permissions/rule.c
+++ b/modules/permissions/rule.c
@@ -116,11 +116,16 @@ int search_rule(rule *r, char *left, char *right)
  * allocate memory for a new expression
  * str is saved in vale, and compiled to POSIX regexp (reg_value)
  */
-expression *new_expression(char *str)
+expression *new_expression(char *sv)
 {
 	expression	*e;
 
-	if (!str) return 0;
+	if (!sv) return 0;
+
+	if(strlen(sv)>=EXPRESSION_LENGTH) {
+		LM_ERR("expression string is too large (%s)\n", sv);
+		return 0;
+	}
 
 	e = (expression *)pkg_malloc(sizeof(expression));
 	if (!e) {
@@ -128,7 +133,7 @@ expression *new_expression(char *str)
 		return 0;
 	}
 
-	strcpy(e->value, str);
+	strcpy(e->value, sv);
 
 	e->reg_value = (regex_t*)pkg_malloc(sizeof(regex_t));
 	if (!e->reg_value) {
@@ -137,8 +142,8 @@ expression *new_expression(char *str)
 		return 0;
 	}
 
-	if (regcomp(e->reg_value, str, REG_EXTENDED|REG_NOSUB|REG_ICASE) ) {
-		LM_ERR("bad regular expression: %s\n", str);
+	if (regcomp(e->reg_value, sv, REG_EXTENDED|REG_NOSUB|REG_ICASE) ) {
+		LM_ERR("bad regular expression: %s\n", sv);
 		pkg_free(e->reg_value);
 		pkg_free(e);
 		return NULL;


