Module: kamailio Branch: master Commit: 964ed0a5083413eb0a70bd8a952d5a91ee9e9883 URL: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a91ee9e9883
Author: Chris Double <[email protected]> Committer: Daniel-Constantin Mierla <[email protected]> Date: 2015-09-02T13:15:37+02:00 parser: fix overflow access when parsing Reason header stored in short buffer - it can happen for fixup functions from textops module having header name as a parameter, with critical impact when using system malloc, the internal pkg malloc does a roundup of the allocated space - the issue is caused by the word (4 bytes) read step performed by parse_hname2() - second 4-byte read in buffer "Reason:" exceeds the size by 1 - added a safe read macro that reads 1, 2 or 3 bytes if the size of the buffer is not big enough for a 4 bytes read --- Modified: parser/case_reas.h Modified: parser/parse_hname2.c --- Diff: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a91ee9e9883.diff Patch: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a91ee9e9883.patch --- diff --git a/parser/case_reas.h b/parser/case_reas.h index e6b8d97..5df0a9d 100644 --- a/parser/case_reas.h +++ b/parser/case_reas.h @@ -49,7 +49,7 @@ #define reas_CASE \ p += 4; \ - val = READ(p); \ + val = SAFE_READ(p, end - p); \ ON_CASE; \ goto other; diff --git a/parser/parse_hname2.c b/parser/parse_hname2.c index 42fb865..e4188a0 100644 --- a/parser/parse_hname2.c +++ b/parser/parse_hname2.c @@ -95,11 +95,26 @@ static inline char* skip_ws(char* p, unsigned int size) /*@} */ +#define SAFE_READ(val, len) \ +((len) == 1 ? READ1(val) : ((len) == 2 ? READ2(val) : ((len) == 3 ? READ3(val) : ((len) > 3 ? READ4(val) : READ0(val))))) + #define READ(val) \ -(*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16) + (*(val + 3) << 24)) +READ4(val) + +#define READ4(val) \ +(*((val) + 0) + (*((val) + 1) << 8) + (*((val) + 2) << 16) + (*((val) + 3) << 24)) #define READ3(val) \ -(*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16)) +(*((val) + 0) + (*((val) + 1) << 8) + (*((val) + 2) << 16)) + +#define READ2(val) \ +(*((val) + 0) + (*((val) + 1) << 8)) + +#define READ1(val) \ +(*((val) + 0)) + +#define READ0(val) \ +(0) #define FIRST_QUATERNIONS \ case _via1_: via1_CASE; \ _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
