orbisai0security left a comment (kamailio/kamailio#4750)
Thanks for the review. You're right on both points.
strncpy → memcpy: Reverted. Those copies are of AVP names sourced from the
Kamailio config, not from SIP messages, and the length is already
bounds-checked before the copy. There was no security justification for that
change.
NUL byte escaping: You're correct that a NUL byte in a SIP URI would be
rejected by the SIP parser before ever reaching the h350 module, so there is no
exploitable injection path. However, RFC 4515 §2.4 explicitly lists NUL as a
character that MUST be escaped as \00 in LDAP filter assertions. The case '\0':
addition is kept purely as a spec compliance fix, not a security fix. The PR
title and description have been updated to reflect this accurately.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/4750#issuecomment-4671930914
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/pull/4750/[email protected]>
_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!