The HEPv3 parsers (`parsing_hepv3_message`, `hepv3_message_parse`,
`hepv3_get_chunk`) take the total length straight from the packet's control
header and walk the chunk list with it, without ever checking it against the
number of bytes actually received. Each chunk header and field is then
dereferenced directly from the buffer.

A malformed HEP datagram that advertises more bytes than were received (e.g.
header says 200, only 20 arrive) makes the loop read chunks past the end of the
received data — an out-of-bounds read reachable straight from the network.

The fix adds two small helpers used at all three parse points: one rejects a
control header that claims more than was received, the other bounds-checks each
chunk (header inside the buffer, advertises at least its 6-byte header, whole
chunk fits) before it is dereferenced. It also replaces the old
`chunk_length == 0` guard. No behaviour change for well-formed packets.

Tested locally and `clang-format` clean.

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/4794

-- Commit Summary --

  * sipcapture: validate HEPv3 chunk boundaries against packet length

-- File Changes --

    M src/modules/sipcapture/hep.c (87)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/4794.patch
https://github.com/kamailio/kamailio/pull/4794.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/4794
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

Reply via email to