git:master:39fee94e: modules/ims_registrar_scscf: prevent possible segfault on contact param with no name
Module: kamailio Branch: master Commit: 39fee94eb6fd6c0c52e2f88776bfd2ca61825300 URL: https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2ca...
Author: jaybeepee jason.penton@gmail.com Committer: jaybeepee jason.penton@gmail.com Date: 2016-10-03T15:50:34+02:00
modules/ims_registrar_scscf: prevent possible segfault on contact param with no name
---
Modified: modules/ims_registrar_scscf/reply.c
---
Diff: https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2ca... Patch: https://github.com/kamailio/kamailio/commit/39fee94eb6fd6c0c52e2f88776bfd2ca...
---
diff --git a/modules/ims_registrar_scscf/reply.c b/modules/ims_registrar_scscf/reply.c index c52334f..d86887f 100644 --- a/modules/ims_registrar_scscf/reply.c +++ b/modules/ims_registrar_scscf/reply.c @@ -115,19 +115,21 @@ static inline unsigned int calc_buf_len(impurecord_t* impurec) { } tmp = c->params; while (tmp) { - if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1, "xpires", 6)) { - tmp = tmp->next; - continue; - } - len += tmp->name.len; + if (tmp->name.len > 0 && tmp->name.s) { + if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1, "xpires", 6)) { + tmp = tmp->next; + continue; + } + len += tmp->name.len + 1 /*separator ; */; + } if (tmp->body.len > 0) { len = len + 1/*=*/ + 2/*2 x "*/; len += tmp->body.len; @@ -437,6 +439,7 @@ int build_contact(impurecord_t* impurec, contact_for_header_t** contact_header)
tmp_contact_header->data_len = calc_buf_len(impurec); tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len); + memset(tmp_contact_header->buf, 0, tmp_contact_header->data_len);
if (tmp_contact_header->data_len) { p = tmp_contact_header->buf; @@ -496,21 +499,24 @@ int build_contact(impurecord_t* impurec, contact_for_header_t** contact_header) /* put in the rest of the params except Q and received */ tmp = c->params; while (tmp) { - if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { - tmp = tmp->next; - continue; - } - if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') && tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) { - tmp = tmp->next; - continue; - } - *p++ = ';'; - memcpy(p, tmp->name.s, tmp->name.len); - p += tmp->name.len; + if (tmp->name.len>0 && tmp->name.s) { + if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) { + tmp = tmp->next; + continue; + } + if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') && tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) { + tmp = tmp->next; + continue; + } + *p++ = ';'; + memcpy(p, tmp->name.s, tmp->name.len); + p += tmp->name.len; + } + if (tmp->body.len > 0) { *p++ = '='; *p++ = '"';
-
jaybeepee