[sr-dev] git:master:82f14f54: pv_headers: fix possible mem. overflow issue and wrong size string

Victor Seva linuxmaniac at torreviejawireless.org
Tue May 3 10:04:25 CEST 2022 

Module: kamailio
Branch: master
Commit: 82f14f54a45a2d0ddd4c870d6fb4adae7e1a65f1
URL: https://github.com/kamailio/kamailio/commit/82f14f54a45a2d0ddd4c870d6fb4adae7e1a65f1

Author: Fabricio Santolin da Silva <fabricio.santolin-da-silva at al-enterprise.com>
Committer: Victor Seva <linuxmaniac at torreviejawireless.org>
Date: 2022-05-03T10:04:17+02:00

pv_headers: fix possible mem. overflow issue and wrong size string

- remove a variable creation
- change from using snprintf to memset (no more \0 at last position)
- change the destination of a allocated space being smaller than the source

---

Modified: src/modules/pv_headers/pvh_func.c

---

Diff:  https://github.com/kamailio/kamailio/commit/82f14f54a45a2d0ddd4c870d6fb4adae7e1a65f1.diff
Patch: https://github.com/kamailio/kamailio/commit/82f14f54a45a2d0ddd4c870d6fb4adae7e1a65f1.patch

---

diff --git a/src/modules/pv_headers/pvh_func.c b/src/modules/pv_headers/pvh_func.c
index c2a3f98e41..dde1b8301b 100644
--- a/src/modules/pv_headers/pvh_func.c
+++ b/src/modules/pv_headers/pvh_func.c
@@ -383,13 +383,13 @@ int pvh_header_param_exists(struct sip_msg *msg, str *hname, str *hvalue)
 
 int pvh_remove_header_param(struct sip_msg *msg, int idx, str *hname, str *elements, str *toRemove)
 {
+	int notTarget, writtenChars;
 	int offset = 0;
 	int ret = -1;
 	char *next_token;
 	char *token;
 	char *result = (char*)pkg_malloc(elements->len - toRemove->len);
-	char *t = (char*)pkg_malloc(elements->len);
-	int maxSize = elements->len;
+	char *t = (char*)pkg_malloc(elements->len+1);
 
 	if (result == NULL || t == NULL)
 	{
@@ -397,37 +397,35 @@ int pvh_remove_header_param(struct sip_msg *msg, int idx, str *hname, str *eleme
 		goto clean;
 	}
 
-	snprintf(result, elements->len - toRemove->len, "%*s", elements->len - toRemove->len, "");
 	snprintf(t, elements->len+1, "%s", elements->s);
 
 	token = strtok_r(t, ", ", &next_token);
 	while(token)
 	{
-		int notTarget = strncmp(token, toRemove->s, toRemove->len);
+		notTarget = strncmp(token, toRemove->s, toRemove->len);
 		if (notTarget)
 		{
-			int n = snprintf(result + offset, maxSize - offset, "%s", token);
-			if (n < 0 || n >= maxSize - offset)
+			writtenChars = snprintf(result + offset, elements->len - offset, "%s", token);
+			if (writtenChars < 0 || writtenChars >= elements->len - offset)
 			{
 				break;
 			}
-			offset += n;
+			offset += writtenChars;
 		}
 		token = strtok_r(NULL, ", ", &next_token);
-		if (token && notTarget && maxSize - offset - toRemove->len > 2)
+		if (token && notTarget && elements->len - offset - toRemove->len > 2)
 		{
-			int n = snprintf(result + offset, maxSize - offset, ", ");
-			if (n < 0 || n >= maxSize - offset)
+			writtenChars = snprintf(result + offset, elements->len - offset, ", ");
+			if (writtenChars < 0 || writtenChars >= elements->len - offset)
 			{
 				break;
 			}
-			offset += n;
+			offset += writtenChars;
 		}
 	}
 
 	if (elements->len-toRemove->len > 0)
 	{
-		snprintf(elements->s, elements->len, "%*s", elements->len-toRemove->len, "");
 		snprintf(elements->s, (strlen(result)%elements->len)+1, "%s", result);
 		elements->len = strlen(result);
 		ret = 1;

More information about the sr-dev mailing list