#### Description

- Found a heap overflow in `check_boundaries()` while poking at the multipart 
body code.
- It rebuilds the body into a `buf.len + 2` buffer, but those 2 bytes aren't 
enough once the last boundary gets rewritten to its closing form 
(`--boundary--\r\n`) — the final `memcpy()` writes past the end.
- The body and the boundary value both come straight off the wire, so anything 
doing multipart (e.g. `set_body_multipart()`) can trip it.
- Fix is small: reserve `fb.len` extra bytes instead of 2, and bounds-check the 
copies so it can't run over.
- Valid bodies come out exactly the same as before.
- Also added a fuzz target at `misc/fuzz/fuzz_check_boundaries.c` to keep this 
path covered.
- Tested with ASan: fires on master, clean with the patch, and a normal build 
throws no new warnings.

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/4791

-- Commit Summary --

  * Fix heap overflow when rewriting multipart SIP bodies

-- File Changes --

    A misc/fuzz/fuzz_check_boundaries.c (65)
    M src/core/msg_translator.c (30)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/4791.patch
https://github.com/kamailio/kamailio/pull/4791.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/4791
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

Reply via email to