#### Description - Found a heap overflow in `check_boundaries()` while poking at the multipart body code. - It rebuilds the body into a `buf.len + 2` buffer, but those 2 bytes aren't enough once the last boundary gets rewritten to its closing form (`--boundary--\r\n`) — the final `memcpy()` writes past the end. - The body and the boundary value both come straight off the wire, so anything doing multipart (e.g. `set_body_multipart()`) can trip it. - Fix is small: reserve `fb.len` extra bytes instead of 2, and bounds-check the copies so it can't run over. - Valid bodies come out exactly the same as before. - Also added a fuzz target at `misc/fuzz/fuzz_check_boundaries.c` to keep this path covered. - Tested with ASan: fires on master, clean with the patch, and a normal build throws no new warnings.
You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4791 -- Commit Summary -- * Fix heap overflow when rewriting multipart SIP bodies -- File Changes -- A misc/fuzz/fuzz_check_boundaries.c (65) M src/core/msg_translator.c (30) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4791.patch https://github.com/kamailio/kamailio/pull/4791.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4791 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
