[sr-dev] git:master:f50c9c85: seas: safety check for target buffer size before copying message in encode_msg()

Module: kamailio Branch: master Commit: f50c9c853e7809810099c970780c30b0765b0643 URL: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2016-02-12T18:04:19+01:00 seas: safety check for target buffer size before copying message in encode_msg() - avoid buffer overflow for large SIP messages - reported by Stelios Tsampas --- Modified: modules/seas/encode_msg.c --- Diff: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b… Patch: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b… --- diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c index 06d31a3..e56b5fb 100644 --- a/modules/seas/encode_msg.c +++ b/modules/seas/encode_msg.c @@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN) return -1; + if(parse_headers(msg,HDR_EOH_F,0)<0){ myerror="in parse_headers"; goto error; @@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) /*j+=k;*/ /*pkg_free(payload2);*/ /*now we copy the actual message after the headers-meta-section*/ + + if(len < j + msg->len + 1) { + LM_ERR("not enough space to encode sip message\n"); + return -1; + } memcpy(&payload[j],msg->buf,msg->len); LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j); j=htons(j);