git:master: core: safety check for content-lenght size in tcp read - sr-dev

11 Apr 2013

Module: sip-router
Branch: master
Commit: 3c54420914c011bdd874a97c4c40ee9dacb59788
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3c544209...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Fri Apr 12 00:50:24 2013 +0200
core: safety check for content-lenght size in tcp read
- avoid getting negative
- upon a report by Kevin Wojtysiak
---
tcp_read.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/tcp_read.c b/tcp_read.c
index 53f4a7a..37b577f 100644
--- a/tcp_read.c
+++ b/tcp_read.c
@@ -797,11 +797,25 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
    				case '\r':
    				case ' ':
    				case '\t': /* FIXME: check if line contains only WS */
+						if(r->content_len<0) {
+							LOG(L_ERR, "bad Content-Length header value %d in"
+									" state %d\n", r->content_len, r->state);
+							r->content_len=0;
+							r->error=TCP_REQ_BAD_LEN;
+							r->state=H_SKIP; /* skip now */
+						}
    					r->state=H_SKIP;
    					r->flags|=F_TCP_REQ_HAS_CLEN;
    					break;
    				case '\n':
    					/* end of line, parse successful */
+						if(r->content_len<0) {
+							LOG(L_ERR, "bad Content-Length header value %d in"
+									" state %d\n", r->content_len, r->state);
+							r->content_len=0;
+							r->error=TCP_REQ_BAD_LEN;
+							r->state=H_SKIP; /* skip now */
+						}
    					r->state=H_LF;
    					r->flags|=F_TCP_REQ_HAS_CLEN;
    					break;

    