[sr-dev] git:4.2:bc4a545a: seas: safety check for target buffer size before copying message in encode_msg()

Module: kamailio Branch: 4.2 Commit: bc4a545aa050dd36c982bf102464edbc14a88753 URL: https://github.com/kamailio/kamailio/commit/bc4a545aa050dd36c982bf102464edb… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2016-02-12T18:08:01+01:00 seas: safety check for target buffer size before copying message in encode_msg() - avoid buffer overflow for large SIP messages - reported by Stelios Tsampas (cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643) (cherry picked from commit 18cd34781d2bdda9c19314c0494f6a655dbe6089) --- Modified: modules/seas/encode_msg.c --- Diff: https://github.com/kamailio/kamailio/commit/bc4a545aa050dd36c982bf102464edb… Patch: https://github.com/kamailio/kamailio/commit/bc4a545aa050dd36c982bf102464edb… --- diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c index 06d31a3..e56b5fb 100644 --- a/modules/seas/encode_msg.c +++ b/modules/seas/encode_msg.c @@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN) return -1; + if(parse_headers(msg,HDR_EOH_F,0)<0){ myerror="in parse_headers"; goto error; @@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) /*j+=k;*/ /*pkg_free(payload2);*/ /*now we copy the actual message after the headers-meta-section*/ + + if(len < j + msg->len + 1) { + LM_ERR("not enough space to encode sip message\n"); + return -1; + } memcpy(&payload[j],msg->buf,msg->len); LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j); j=htons(j);