git:master:0afc10d9: core: protect for unsigned int value overflow on string convert - sr-dev

29 Nov 2021

Module: kamailio
Branch: master
Commit: 0afc10d9b1b3f65b92d649d530b6363476b3d03b
URL: https://github.com/kamailio/kamailio/commit/0afc10d9b1b3f65b92d649d530b63634...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2021-11-29T11:25:08+01:00
core: protect for unsigned int value overflow on string convert
---
Modified: src/core/ut.h
---
Diff:  https://github.com/kamailio/kamailio/commit/0afc10d9b1b3f65b92d649d530b63634...
Patch: https://github.com/kamailio/kamailio/commit/0afc10d9b1b3f65b92d649d530b63634...
---

diff --git a/src/core/ut.h b/src/core/ut.h
index 1dd0706f59..9b899a94e7 100644
--- a/src/core/ut.h
+++ b/src/core/ut.h
@@ -628,7 +628,7 @@ static inline void strlower(str* _s)
 }
-#define str2unval(_s, _r) do { \
+#define str2unval(_s, _r, _vmax) do { \
    	int i; \
    	if (_r == NULL) return -1; \
    	*_r = 0; \
@@ -637,7 +637,13 @@ static inline void strlower(str* _s)
    	if (_s->s == NULL) return -1; \
    	for(i = 0; i < _s->len; i++) { \
    		if ((_s->s[i] >= '0') && (_s->s[i] <= '9')) { \
+				if(*_r > _vmax/10) { \
+					return -1; \
+				} \
    			*_r *= 10; \
+				if(*_r > _vmax - (_s->s[i] - '0')) { \
+					return -1; \
+				} \
    			*_r += _s->s[i] - '0'; \
    		} else { \
    			return -1; \
@@ -651,7 +657,7 @@ static inline void strlower(str* _s)
  */
 static inline int str2ulong(str* _s, unsigned long* _r)
 {
-	str2unval(_s, _r);
+	str2unval(_s, _r, ULONG_MAX);
 }
/*
@@ -659,7 +665,7 @@ static inline int str2ulong(str* _s, unsigned long* _r)
  */
 static inline int str2int(str* _s, unsigned int* _r)
 {
-	str2unval(_s, _r);
+	str2unval(_s, _r, UINT_MAX);
 }
#define str2snval(_s, _r, _vmin, _vmax) do { \

    