[sr-dev] git:4.4:77706a1f: pdb: fix SIGABRT in case of too long uris

Lucian Balaceanu lucian.balaceanu at 1and1.ro
Tue Oct 30 09:45:10 CET 2018 

Module: kamailio
Branch: 4.4
Commit: 77706a1f45ce83e43c04883a230a41d0a10b70d1
URL: https://github.com/kamailio/kamailio/commit/77706a1f45ce83e43c04883a230a41d0a10b70d1

Author: Lucian Balaceanu <lucian.balaceanu at 1and1.ro>
Committer: Lucian Balaceanu <lucian.balaceanu at 1and1.ro>
Date: 2018-10-30T10:44:11+02:00

pdb: fix SIGABRT in case of too long uris

kudos for this one go to Verena Kahmann
buf in pdb_msg_dbg should correctly accomodate for pdb_bdy size
pdb_hdr + pdb_bdy should add to pdb_hdr.length (max 255)

---

Modified: modules/pdb/common.h
Modified: modules/pdb/pdb.c

---

Diff:  https://github.com/kamailio/kamailio/commit/77706a1f45ce83e43c04883a230a41d0a10b70d1.diff
Patch: https://github.com/kamailio/kamailio/commit/77706a1f45ce83e43c04883a230a41d0a10b70d1.patch

---

diff --git a/modules/pdb/common.h b/modules/pdb/common.h
index cd4932958b..026c8bc488 100644
--- a/modules/pdb/common.h
+++ b/modules/pdb/common.h
@@ -41,7 +41,8 @@
 #define OTHER_CARRIERID 1000
 #define MAX_CARRIERID 1000
 #define NULL_CARRIERID -1001
-#define PAYLOADSIZE 256
+/* hdr size + PAYLOADSIZE must add to 255 (uint8_t pdb_hdr.length) */
+#define PAYLOADSIZE 249
 
 
 #define IS_VALID_PDB_CARRIERID(id) ((id>=MIN_PDB_CARRIERID) && (id<=MAX_PDB_CARRIERID))
diff --git a/modules/pdb/pdb.c b/modules/pdb/pdb.c
index 6feb3098c2..9ea05d34d6 100644
--- a/modules/pdb/pdb.c
+++ b/modules/pdb/pdb.c
@@ -160,7 +160,7 @@ static struct server_list_t *server_list;
 /* debug function for the new client <-> server protocol */
 static void pdb_msg_dbg(struct pdb_msg msg, char *dbg_msg) {
     int i;
-    char buf[PAYLOADSIZE];
+    char buf[PAYLOADSIZE*3+1];
     char *ptr = buf;
 
     for (i = 0; i < msg.hdr.length - sizeof(msg.hdr); i++) {
@@ -279,7 +279,7 @@ static int pdb_query(struct sip_msg *_msg, struct multiparam_t *_number, struct
 
 	/* prepare request */
 	reqlen = number.len + 1; /* include null termination */
-	if (reqlen > sizeof(struct pdb_bdy)) {
+	if (reqlen > PAYLOADSIZE) {
 		LM_ERR("number too long '%.*s'.\n", number.len, number.s);
 		return -1;
 	}
@@ -319,6 +319,7 @@ static int pdb_query(struct sip_msg *_msg, struct multiparam_t *_number, struct
             break;
     }
 
+        memset(&msg,0,sizeof(struct pdb_msg));
 	/* wait for response */
 	for (;;) {
 		if (gettimeofday(&tnow, NULL) != 0) {

More information about the sr-dev mailing list