git:master:f47f42ac: core: tcp_read_headers() safety checks for parsed pointer - sr-dev

15 Sep 2017

Module: kamailio
Branch: master
Commit: f47f42ac12ad111b3bad52aa2d495fbed5ef395d
URL: https://github.com/kamailio/kamailio/commit/f47f42ac12ad111b3bad52aa2d495fbe...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2017-09-15T09:27:07+02:00
core: tcp_read_headers() safety checks for parsed pointer
- reset if it is out of read buffer range and the state is H_SKIP_EMPTY
---
Modified: src/core/tcp_read.c
---
Diff:  https://github.com/kamailio/kamailio/commit/f47f42ac12ad111b3bad52aa2d495fbe...
Patch: https://github.com/kamailio/kamailio/commit/f47f42ac12ad111b3bad52aa2d495fbe...
---

diff --git a/src/core/tcp_read.c b/src/core/tcp_read.c
index 77a86854e8..edd136e3d2 100644
--- a/src/core/tcp_read.c
+++ b/src/core/tcp_read.c
@@ -430,7 +430,7 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
    						r->state=(newstate); break; \
    					crlf_default_skip_case; \
    				}
-	
+
    #define change_state_case(state0, upper, lower, newstate)\
    				case state0: \
    						  change_state(upper, lower, newstate); \
@@ -439,6 +439,22 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
r=&c->req;
+	if(r->parsed<r->buf || r->parsed>r->buf+r->b_size) {
+		if(r->parsed<r->buf && (unsigned char)r->state==H_SKIP_EMPTY) {
+			/* give it a chance to parse from beginning */
+			LM_WARN("resetting parsed pointer (buf:%p parsed:%p bsize:%u)\n",
+				r->buf, r->parsed, r->b_size);
+			r->parsed = r->buf;
+		} else {
+			LM_ERR("out of bounds parsed pointer (buf:%p parsed:%p bsize:%u)\n",
+				r->buf, r->parsed, r->b_size);
+			r->parsed = r->buf;
+			r->content_len=0;
+			r->error=TCP_REQ_BAD_LEN;
+			r->state=H_SKIP; /* skip state now */
+			return -1;
+		}
+	}
    /* if we still have some unparsed part, parse it first, don't do the read*/
    if (unlikely(r->parsed<r->pos)){
    	bytes=0;

    