Module: kamailio
Branch: master
Commit: 9b4934fd9cdae45f4e9c2015a036ffb4ebd8ab22
URL: 
https://github.com/kamailio/kamailio/commit/9b4934fd9cdae45f4e9c2015a036ffb4ebd8ab22

Author: Daniel-Constantin Mierla <[email protected]>
Committer: Daniel-Constantin Mierla <[email protected]>
Date: 2026-05-05T08:59:38+02:00

dlgs: added size limit per item

---

Modified: src/modules/dlgs/dlgs_records.c

---

Diff:  
https://github.com/kamailio/kamailio/commit/9b4934fd9cdae45f4e9c2015a036ffb4ebd8ab22.diff
Patch: 
https://github.com/kamailio/kamailio/commit/9b4934fd9cdae45f4e9c2015a036ffb4ebd8ab22.patch

---

diff --git a/src/modules/dlgs/dlgs_records.c b/src/modules/dlgs/dlgs_records.c
index 85bd6401e77..89301956b76 100644
--- a/src/modules/dlgs/dlgs_records.c
+++ b/src/modules/dlgs/dlgs_records.c
@@ -126,11 +126,15 @@ int dlgs_sipfields_get(sip_msg_t *msg, dlgs_sipfields_t 
*sf)
        return 0;
 }
 
+#define DLGS_ITEM_SIZE_MAX (1 << 16)
+
 dlgs_item_t *dlgs_item_new(sip_msg_t *msg, dlgs_sipfields_t *sf, str *src,
                str *dst, str *data, unsigned int hashid)
 {
        dlgs_item_t *item;
-       unsigned int msize;
+       size_t msize;
+       size_t payload_size;
+       size_t ttag_space;
        str ruid = STR_NULL;
        char ruidbuf[SRUID_SIZE + 16];
 
@@ -150,13 +154,56 @@ dlgs_item_t *dlgs_item_new(sip_msg_t *msg, 
dlgs_sipfields_t *sf, str *src,
        }
        ruid.s = ruidbuf;
 
-       msize = sizeof(dlgs_item_t)
-                       + (sf->callid.len + 1 + sf->ftag.len + 1
-                                         + ((sf->ttag.len > 0) ? (sf->ttag.len 
+ 1)
-                                                                               
        : DLGS_TOTAG_SIZE)
-                                         + ruid.len + 1 + dst->len + 1 + 
src->len + 1 + data->len
-                                         + 1 + sf->branch.len + 1)
-                                         * sizeof(char);
+       if(sf->callid.len < 0 || sf->ftag.len < 0 || sf->ttag.len < 0
+                       || sf->branch.len < 0 || src == NULL || src->len < 0 || 
dst == NULL
+                       || dst->len < 0 || data == NULL || data->len < 0 || 
ruid.len < 0) {
+               LM_ERR("invalid negative length while building dlg item\n");
+               return NULL;
+       }
+
+       ttag_space =
+                       (sf->ttag.len > 0) ? (size_t)sf->ttag.len + 1 : 
DLGS_TOTAG_SIZE;
+       payload_size = (size_t)sf->callid.len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ((size_t)sf->ftag.len + 1)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += (size_t)sf->ftag.len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ttag_space) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += ttag_space;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ((size_t)ruid.len + 1)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += (size_t)ruid.len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ((size_t)dst->len + 1)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += (size_t)dst->len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ((size_t)src->len + 1)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += (size_t)src->len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ((size_t)data->len + 1)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += (size_t)data->len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - ((size_t)sf->branch.len + 1)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       payload_size += (size_t)sf->branch.len + 1;
+       if(payload_size > DLGS_ITEM_SIZE_MAX - sizeof(dlgs_item_t)) {
+               LM_ERR("dlg item size overflow\n");
+               return NULL;
+       }
+       msize = sizeof(dlgs_item_t) + payload_size;
 
        item = (dlgs_item_t *)shm_malloc(msize);
        if(item == NULL) {

_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

Reply via email to