[sr-dev] git:master:783763e8: pdb: fix SIGABRT in case of too long uris
Lucian Balaceanu
lucian.balaceanu at 1and1.ro
Tue Oct 30 09:38:33 CET 2018
Module: kamailio
Branch: master
Commit: 783763e8accef47aa563cd17d1e170250268751c
URL: https://github.com/kamailio/kamailio/commit/783763e8accef47aa563cd17d1e170250268751c
Author: Lucian Balaceanu <lucian.balaceanu at 1and1.ro>
Committer: Lucian Balaceanu <lucian.balaceanu at 1and1.ro>
Date: 2018-10-29T11:54:45+02:00
pdb: fix SIGABRT in case of too long uris
buf in pdb_msg_dbg should correctly accomodate for pdb_bdy size
pdb_hdr + pdb_bdy should add to pdb_hdr.length (max 255)
---
Modified: src/modules/pdb/common.h
Modified: src/modules/pdb/pdb.c
---
Diff: https://github.com/kamailio/kamailio/commit/783763e8accef47aa563cd17d1e170250268751c.diff
Patch: https://github.com/kamailio/kamailio/commit/783763e8accef47aa563cd17d1e170250268751c.patch
---
diff --git a/src/modules/pdb/common.h b/src/modules/pdb/common.h
index 1ba16cdf98..7c52c97ce0 100644
--- a/src/modules/pdb/common.h
+++ b/src/modules/pdb/common.h
@@ -35,7 +35,8 @@
#define OTHER_CARRIERID 1000
#define MAX_CARRIERID 1000
#define NULL_CARRIERID -1001
-#define PAYLOADSIZE 256
+/* hdr size + PAYLOADSIZE must add to 255 (uint8_t pdb_hdr.length) */
+#define PAYLOADSIZE 249
#define IS_VALID_PDB_CARRIERID(id) ((id>=MIN_PDB_CARRIERID) && (id<=MAX_PDB_CARRIERID))
diff --git a/src/modules/pdb/pdb.c b/src/modules/pdb/pdb.c
index 8f2f80c326..eb59656734 100644
--- a/src/modules/pdb/pdb.c
+++ b/src/modules/pdb/pdb.c
@@ -145,7 +145,7 @@ static struct server_list_t *server_list;
/* debug function for the new client <-> server protocol */
static void pdb_msg_dbg(struct pdb_msg msg, char *dbg_msg) {
int i;
- char buf[PAYLOADSIZE];
+ char buf[PAYLOADSIZE * 3 + 1];
char *ptr = buf;
for (i = 0; i < msg.hdr.length - sizeof(msg.hdr); i++) {
@@ -265,7 +265,7 @@ static int pdb_query(struct sip_msg *_msg, struct multiparam_t *_number, struct
/* prepare request */
reqlen = number.len + 1; /* include null termination */
- if (reqlen > sizeof(struct pdb_bdy)) {
+ if (reqlen > PAYLOADSIZE) {
LM_ERR("number too long '%.*s'.\n", number.len, number.s);
return -1;
}
@@ -305,6 +305,7 @@ static int pdb_query(struct sip_msg *_msg, struct multiparam_t *_number, struct
break;
}
+ memset(&msg, 0, sizeof(struct pdb_msg));
/* wait for response */
for (;;) {
if (gettimeofday(&tnow, NULL) != 0) {
More information about the sr-dev
mailing list