Module: sip-router Branch: 4.0 Commit: a49467e98dc721a1e4dbd9ba547d72aa38018883 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a49467e98dc721a1e4dbd9ba547d72aa38018883
Author: Daniel-Constantin Mierla <[email protected]> Committer: Daniel-Constantin Mierla <[email protected]> Date: Fri Apr 12 00:50:24 2013 +0200 core: safety check for content-lenght size in tcp read - avoid getting negative - upon a report by Kevin Wojtysiak (cherry picked from commit 3c54420914c011bdd874a97c4c40ee9dacb59788) --- tcp_read.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) diff --git a/tcp_read.c b/tcp_read.c index b969e6c..618e05a 100644 --- a/tcp_read.c +++ b/tcp_read.c @@ -805,11 +805,25 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags) case '\r': case ' ': case '\t': /* FIXME: check if line contains only WS */ + if(r->content_len<0) { + LOG(L_ERR, "bad Content-Length header value %d in" + " state %d\n", r->content_len, r->state); + r->content_len=0; + r->error=TCP_REQ_BAD_LEN; + r->state=H_SKIP; /* skip now */ + } r->state=H_SKIP; r->flags|=F_TCP_REQ_HAS_CLEN; break; case '\n': /* end of line, parse successful */ + if(r->content_len<0) { + LOG(L_ERR, "bad Content-Length header value %d in" + " state %d\n", r->content_len, r->state); + r->content_len=0; + r->error=TCP_REQ_BAD_LEN; + r->state=H_SKIP; /* skip now */ + } r->state=H_LF; r->flags|=F_TCP_REQ_HAS_CLEN; break; _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
