The HEPv3 parsers (`parsing_hepv3_message`, `hepv3_message_parse`, `hepv3_get_chunk`) take the total length straight from the packet's control header and walk the chunk list with it, without ever checking it against the number of bytes actually received. Each chunk header and field is then dereferenced directly from the buffer.
A malformed HEP datagram that advertises more bytes than were received (e.g. header says 200, only 20 arrive) makes the loop read chunks past the end of the received data — an out-of-bounds read reachable straight from the network. The fix adds two small helpers used at all three parse points: one rejects a control header that claims more than was received, the other bounds-checks each chunk (header inside the buffer, advertises at least its 6-byte header, whole chunk fits) before it is dereferenced. It also replaces the old `chunk_length == 0` guard. No behaviour change for well-formed packets. Tested locally and `clang-format` clean. You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4794 -- Commit Summary -- * sipcapture: validate HEPv3 chunk boundaries against packet length -- File Changes -- M src/modules/sipcapture/hep.c (87) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4794.patch https://github.com/kamailio/kamailio/pull/4794.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4794 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
