[sr-dev] git:5.0:1ecc8843: core: tcp_read_headers() safety checks for parsed pointer

Daniel-Constantin Mierla miconda at gmail.com
Fri Sep 15 14:46:53 CEST 2017


Module: kamailio
Branch: 5.0
Commit: 1ecc88431777f0013aa29cbcccc041168002dea5
URL: https://github.com/kamailio/kamailio/commit/1ecc88431777f0013aa29cbcccc041168002dea5

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-09-15T14:46:29+02:00

core: tcp_read_headers() safety checks for parsed pointer

- reset if it is out of read buffer range and the state is H_SKIP_EMPTY

(cherry picked from commit f47f42ac12ad111b3bad52aa2d495fbed5ef395d)

---

Modified: src/core/tcp_read.c

---

Diff:  https://github.com/kamailio/kamailio/commit/1ecc88431777f0013aa29cbcccc041168002dea5.diff
Patch: https://github.com/kamailio/kamailio/commit/1ecc88431777f0013aa29cbcccc041168002dea5.patch

---

diff --git a/src/core/tcp_read.c b/src/core/tcp_read.c
index 7014353c62..818bc52b7f 100644
--- a/src/core/tcp_read.c
+++ b/src/core/tcp_read.c
@@ -428,7 +428,7 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
 							r->state=(newstate); break; \
 						crlf_default_skip_case; \
 					}
-	
+
 	#define change_state_case(state0, upper, lower, newstate)\
 					case state0: \
 							  change_state(upper, lower, newstate); \
@@ -437,6 +437,22 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
 
 
 	r=&c->req;
+	if(r->parsed<r->buf || r->parsed>r->buf+r->b_size) {
+		if(r->parsed<r->buf && (unsigned char)r->state==H_SKIP_EMPTY) {
+			/* give it a chance to parse from beginning */
+			LM_WARN("resetting parsed pointer (buf:%p parsed:%p bsize:%u)\n",
+				r->buf, r->parsed, r->b_size);
+			r->parsed = r->buf;
+		} else {
+			LM_ERR("out of bounds parsed pointer (buf:%p parsed:%p bsize:%u)\n",
+				r->buf, r->parsed, r->b_size);
+			r->parsed = r->buf;
+			r->content_len=0;
+			r->error=TCP_REQ_BAD_LEN;
+			r->state=H_SKIP; /* skip state now */
+			return -1;
+		}
+	}
 	/* if we still have some unparsed part, parse it first, don't do the read*/
 	if (unlikely(r->parsed<r->pos)){
 		bytes=0;




More information about the sr-dev mailing list