Heap Overflow in check_boundaries() (multipart body)

**Bug:** `check_boundaries()` rebuilds the body into a `buf.len + 2` buffer, but
2 bytes aren't enough once the last boundary is rewritten to its closing form
(`--boundary--\r\n`) — the final `memcpy()` writes past the end.

**Impact:** Heap overflow. Body and boundary both come off the wire, so anything
doing multipart (e.g. `set_body_multipart()`) can trip it.

**Causes:**
- Buffer reserves only `+2` bytes, too small for the rewritten closing boundary.
- Copies aren't bounds-checked, so the final write runs over.

**Fix:** Reserve `fb.len` extra bytes instead of 2, and bounds-check the copies
so they can't overrun.

**Tested:** Valid bodies unchanged. Added fuzz target
`misc/fuzz/fuzz_check_boundaries.c`. ASan fires on master, clean with patch. No
new warnings.

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/4792

-- Commit Summary --

  * sipcapture: validate HEPv3 chunk boundaries against packet length

-- File Changes --

    M src/modules/sipcapture/hep.c (159)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/4792.patch
https://github.com/kamailio/kamailio/pull/4792.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/4792
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

Reply via email to