Module: kamailio Branch: master Commit: f47f42ac12ad111b3bad52aa2d495fbed5ef395d URL: https://github.com/kamailio/kamailio/commit/f47f42ac12ad111b3bad52aa2d495fb… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2017-09-15T09:27:07+02:00 core: tcp_read_headers() safety checks for parsed pointer - reset if it is out of read buffer range and the state is H_SKIP_EMPTY --- Modified: src/core/tcp_read.c --- Diff: https://github.com/kamailio/kamailio/commit/f47f42ac12ad111b3bad52aa2d495fb… Patch: https://github.com/kamailio/kamailio/commit/f47f42ac12ad111b3bad52aa2d495fb… --- diff --git a/src/core/tcp_read.c b/src/core/tcp_read.c index 77a86854e8..edd136e3d2 100644 --- a/src/core/tcp_read.c +++ b/src/core/tcp_read.c @@ -430,7 +430,7 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags) r->state=(newstate); break; \ crlf_default_skip_case; \ } - + #define change_state_case(state0, upper, lower, newstate)\ case state0: \ change_state(upper, lower, newstate); \ @@ -439,6 +439,22 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags) r=&c->req; + if(r->parsed<r->buf || r->parsed>r->buf+r->b_size) { + if(r->parsed<r->buf && (unsigned char)r->state==H_SKIP_EMPTY) { + /* give it a chance to parse from beginning */ + LM_WARN("resetting parsed pointer (buf:%p parsed:%p bsize:%u)\n", + r->buf, r->parsed, r->b_size); + r->parsed = r->buf; + } else { + LM_ERR("out of bounds parsed pointer (buf:%p parsed:%p bsize:%u)\n", + r->buf, r->parsed, r->b_size); + r->parsed = r->buf; + r->content_len=0; + r->error=TCP_REQ_BAD_LEN; + r->state=H_SKIP; /* skip state now */ + return -1; + } + } /* if we still have some unparsed part, parse it first, don't do the read*/ if (unlikely(r->parsed<r->pos)){ bytes=0;