Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions modules/sipmsgops/sipmsgops.c
Original file line number Diff line number Diff line change
Expand Up @@ -2123,6 +2123,10 @@ static int w_sip_to_json(struct sip_msg *msg, pv_spec_t* out_json)
}

for (it=msg->headers;it;it=it->next) {
if (it->name.len >= sizeof(hdr_name_buf)) {
LM_WARN("header name too long (%d), skipping\n", it->name.len);
continue;
}
memcpy(hdr_name_buf,it->name.s,it->name.len);
hdr_name_buf[it->name.len] = 0;

Expand Down
16 changes: 16 additions & 0 deletions msg_translator.c
Original file line number Diff line number Diff line change
Expand Up @@ -2906,6 +2906,7 @@ char *construct_uri(str *protocol,str *username,str *domain,str *port,
str *params,int *len)
{
int pos = 0;
int total_len;

if (!len)
{
Expand All @@ -2925,6 +2926,21 @@ char *construct_uri(str *protocol,str *username,str *domain,str *port,
return 0;
}

total_len = protocol->len + 1 /* ':' */ + domain->len;
if (username && username->s && username->len != 0)
total_len += username->len + 1; /* '@' */
if (port && port->s && port->len != 0)
total_len += port->len + 1; /* ':' */
if (params && params->s && params->len != 0)
total_len += params->len + 1; /* ';' */
total_len += 1; /* null terminator */

if (total_len > MAX_URI_LEN) {
LM_ERR("constructed URI too long (%d > %d)\n",
total_len, MAX_URI_LEN);
return 0;
}

memcpy(uri_buff,protocol->s,protocol->len);
pos += protocol->len;
uri_buff[pos++] = ':';
Expand Down
8 changes: 8 additions & 0 deletions net/proto_tcp/tcp_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,14 @@ inline static void tcp_parse_headers(struct tcp_req *r,
case '7':
case '8':
case '9':
if (r->content_len>=TCP_BUF_SIZE) {
LM_ERR("Content-Length value %d bigger than the "
"reading buffer\n", r->content_len);
r->error = TCP_REQ_BAD_LEN;
r->state = H_SKIP;
r->content_len = 0;
break;
}
r->content_len=r->content_len*10+(*p-'0');
if (r->content_len>=TCP_BUF_SIZE) {
LM_ERR("Content-Length value %d bigger than the "
Expand Down
6 changes: 4 additions & 2 deletions parser/parse_body.c
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@ static char *find_line_delimiter(char* p, char* plimit, str delimiter)
cp1 = l_memmem(cp, delimiterhead, plimit-cp, 2);
if (cp1 == NULL)
return NULL;
/* ensure enough room for the delimiter match */
if (plimit - cp1 < 2 + delimiter.len) {
return NULL;
}
/* We matched '--',
* now let's match the boundary delimiter */
if (strncmp(cp1+2, delimiter.s, delimiter.len) == 0)
Expand All @@ -141,8 +145,6 @@ static char *find_line_delimiter(char* p, char* plimit, str delimiter)
}
if (cp1[-1] == '\n' || cp1[-1] == '\r')
return cp1;
if (plimit - cp1 < 2 + delimiter.len)
return NULL;
cp = cp1 + 2 + delimiter.len;
}
}
Expand Down
3 changes: 2 additions & 1 deletion transformations.c
Original file line number Diff line number Diff line change
Expand Up @@ -957,7 +957,8 @@ int tr_eval_string(struct sip_msg *msg, tr_param_t *tp, int subtype,
val->flags |= PV_VAL_STR;
break;
}
if(val->rs.len>TR_BUFFER_SIZE-1) {
if(val->rs.len>TR_BUFFER_SIZE-1 ||
calc_base64_encode_len(val->rs.len)>TR_BUFFER_SIZE) {
LM_ERR("b64encode value larger than buffer\n");
goto error;
}
Expand Down