pespin has submitted this change and it was merged. (
https://gerrit.osmocom.org/c/osmo-mgw/+/14905 )
Change subject: Catch unsigned integer MGCP parsing errors with strtoul
......................................................................
Catch unsigned integer MGCP parsing errors with strtoul
Checks to find if strotul failed are taken both from:
man strtoul
man strtol
Change-Id: Ifba1c1e3151d6f92f9da3d4ca2569a5908455ca8
---
M src/libosmo-mgcp-client/mgcp_client.c
M src/libosmo-mgcp/mgcp_sdp.c
2 files changed, 16 insertions(+), 2 deletions(-)
Approvals:
laforge: Looks good to me, but someone else must approve
osmith: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/libosmo-mgcp-client/mgcp_client.c
b/src/libosmo-mgcp-client/mgcp_client.c
index fd188c3..910289e 100644
--- a/src/libosmo-mgcp-client/mgcp_client.c
+++ b/src/libosmo-mgcp-client/mgcp_client.c
@@ -36,6 +36,8 @@
#include <unistd.h>
#include <string.h>
#include <ctype.h>
+#include <stdlib.h>
+#include <limits.h>
#ifndef OSMUX_CID_MAX
#define OSMUX_CID_MAX 255 /* FIXME: use OSMUX_CID_MAX from libosmo-netif? */
@@ -265,6 +267,7 @@
static int mgcp_parse_audio_port_pt(struct mgcp_response *r, char *line)
{
char *pt_str;
+ char *pt_end;
unsigned int pt;
unsigned int count = 0;
unsigned int i;
@@ -289,7 +292,11 @@
pt_str = strtok(NULL, " ");
if (!pt_str)
break;
- pt = atoi(pt_str);
+ errno = 0;
+ pt = strtoul(pt_str, &pt_end, 0);
+ if ((errno == ERANGE && pt == ULONG_MAX) || (errno && !pt) ||
+ pt_str == pt_end)
+ goto response_parse_failure_pt;
/* Do not allow duplicate payload types */
for (i = 0; i < count; i++)
diff --git a/src/libosmo-mgcp/mgcp_sdp.c b/src/libosmo-mgcp/mgcp_sdp.c
index ddd4657..56fc611 100644
--- a/src/libosmo-mgcp/mgcp_sdp.c
+++ b/src/libosmo-mgcp/mgcp_sdp.c
@@ -29,6 +29,8 @@
#include <osmocom/mgcp/mgcp_sdp.h>
#include <errno.h>
+#include <stdlib.h>
+#include <limits.h>
/* Two structs to store intermediate parsing results. The function
* mgcp_parse_sdp_data() is using the following two structs as temporary
@@ -129,6 +131,7 @@
char *str;
char *str_ptr;
char *pt_str;
+ char *pt_end;
unsigned int pt;
unsigned int count = 0;
unsigned int i;
@@ -154,7 +157,11 @@
if (!pt_str)
break;
- pt = atoi(pt_str);
+ errno = 0;
+ pt = strtoul(pt_str, &pt_end, 0);
+ if ((errno == ERANGE && pt == ULONG_MAX) || (errno && !pt) ||
+ pt_str == pt_end)
+ goto error;
/* Do not allow duplicate payload types */
for (i = 0; i < count; i++)
--
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/14905
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: Ifba1c1e3151d6f92f9da3d4ca2569a5908455ca8
Gerrit-Change-Number: 14905
Gerrit-PatchSet: 2
Gerrit-Owner: pespin <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: osmith <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-MessageType: merged
