[sr-dev] git:master:82f14f54: pv_headers: fix possible mem. overflow issue and wrong size string

Module: kamailio Branch: master Commit: 82f14f54a45a2d0ddd4c870d6fb4adae7e1a65f1 URL: https://github.com/kamailio/kamailio/commit/82f14f54a45a2d0ddd4c870d6fb4ada… Author: Fabricio Santolin da Silva &lt;fabricio.santolin-da-silva(a)al-enterprise.com&gt; Committer: Victor Seva &lt;linuxmaniac(a)torreviejawireless.org&gt; Date: 2022-05-03T10:04:17+02:00 pv_headers: fix possible mem. overflow issue and wrong size string - remove a variable creation - change from using snprintf to memset (no more \0 at last position) - change the destination of a allocated space being smaller than the source --- Modified: src/modules/pv_headers/pvh_func.c --- Diff: https://github.com/kamailio/kamailio/commit/82f14f54a45a2d0ddd4c870d6fb4ada… Patch: https://github.com/kamailio/kamailio/commit/82f14f54a45a2d0ddd4c870d6fb4ada… --- diff --git a/src/modules/pv_headers/pvh_func.c b/src/modules/pv_headers/pvh_func.c index c2a3f98e41..dde1b8301b 100644 --- a/src/modules/pv_headers/pvh_func.c +++ b/src/modules/pv_headers/pvh_func.c @@ -383,13 +383,13 @@ int pvh_header_param_exists(struct sip_msg *msg, str *hname, str *hvalue) int pvh_remove_header_param(struct sip_msg *msg, int idx, str *hname, str *elements, str *toRemove) { + int notTarget, writtenChars; int offset = 0; int ret = -1; char *next_token; char *token; char *result = (char*)pkg_malloc(elements->len - toRemove->len); - char *t = (char*)pkg_malloc(elements->len); - int maxSize = elements->len; + char *t = (char*)pkg_malloc(elements->len+1); if (result == NULL || t == NULL) { @@ -397,37 +397,35 @@ int pvh_remove_header_param(struct sip_msg *msg, int idx, str *hname, str *eleme goto clean; } - snprintf(result, elements->len - toRemove->len, "%*s", elements->len - toRemove->len, ""); snprintf(t, elements->len+1, "%s", elements->s); token = strtok_r(t, ", ", &next_token); while(token) { - int notTarget = strncmp(token, toRemove->s, toRemove->len); + notTarget = strncmp(token, toRemove->s, toRemove->len); if (notTarget) { - int n = snprintf(result + offset, maxSize - offset, "%s", token); - if (n < 0 || n >= maxSize - offset) + writtenChars = snprintf(result + offset, elements->len - offset, "%s", token); + if (writtenChars < 0 || writtenChars >= elements->len - offset) { break; } - offset += n; + offset += writtenChars; } token = strtok_r(NULL, ", ", &next_token); - if (token && notTarget && maxSize - offset - toRemove->len > 2) + if (token && notTarget && elements->len - offset - toRemove->len > 2) { - int n = snprintf(result + offset, maxSize - offset, ", "); - if (n < 0 || n >= maxSize - offset) + writtenChars = snprintf(result + offset, elements->len - offset, ", "); + if (writtenChars < 0 || writtenChars >= elements->len - offset) { break; } - offset += n; + offset += writtenChars; } } if (elements->len-toRemove->len > 0) { - snprintf(elements->s, elements->len, "%*s", elements->len-toRemove->len, ""); snprintf(elements->s, (strlen(result)%elements->len)+1, "%s", result); elements->len = strlen(result); ret = 1;