Module: kamailio Branch: master Commit: 5a0e1c96bb7b315d9f9be05db402e63390e2eaaf URL: https://github.com/kamailio/kamailio/commit/5a0e1c96bb7b315d9f9be05db402e63… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2016-11-06T17:08:00+01:00 permissions: safety check of src len before copying to dst buffer --- Modified: modules/permissions/parse_config.c Modified: modules/permissions/rule.c --- Diff: https://github.com/kamailio/kamailio/commit/5a0e1c96bb7b315d9f9be05db402e63… Patch: https://github.com/kamailio/kamailio/commit/5a0e1c96bb7b315d9f9be05db402e63… --- diff --git a/modules/permissions/parse_config.c b/modules/permissions/parse_config.c index a96ed30..df33123 100644 --- a/modules/permissions/parse_config.c +++ b/modules/permissions/parse_config.c @@ -102,18 +102,23 @@ static int parse_expression_list(char *str, expression **e) * return 0 on success, -1 on error * parsed expressions are returned in **e, and exceptions are returned in **e_exceptions */ -static int parse_expression(char *str, expression **e, expression **e_exceptions) +static int parse_expression(char *sv, expression **e, expression **e_exceptions) { char *except, str2[LINE_LENGTH+1]; int i,j; - if (!str || !e || !e_exceptions) return -1; + if (!sv || !e || !e_exceptions) return -1; - except = strstr(str, " EXCEPT "); + if(strlen(sv)>=LINE_LENGTH) { + LM_ERR("expression string is too long (%s)\n", sv); + return -1; + } + + except = strstr(sv, " EXCEPT "); if (except) { /* exception found */ - strncpy(str2, str, except-str); - str2[except-str] = '\0'; + strncpy(str2, sv, except-sv); + str2[except-sv] = '\0'; /* except+8 points to the exception */ if (parse_expression_list(except+8, e_exceptions)) { /* error */ @@ -122,7 +127,7 @@ static int parse_expression(char *str, expression **e, expression **e_exceptions } } else { /* no exception */ - strcpy(str2, str); + strcpy(str2, sv); *e_exceptions = NULL; } diff --git a/modules/permissions/rule.c b/modules/permissions/rule.c index 093911a..cd38a30 100644 --- a/modules/permissions/rule.c +++ b/modules/permissions/rule.c @@ -116,11 +116,16 @@ int search_rule(rule *r, char *left, char *right) * allocate memory for a new expression * str is saved in vale, and compiled to POSIX regexp (reg_value) */ -expression *new_expression(char *str) +expression *new_expression(char *sv) { expression *e; - if (!str) return 0; + if (!sv) return 0; + + if(strlen(sv)>=EXPRESSION_LENGTH) { + LM_ERR("expression string is too large (%s)\n", sv); + return 0; + } e = (expression *)pkg_malloc(sizeof(expression)); if (!e) { @@ -128,7 +133,7 @@ expression *new_expression(char *str) return 0; } - strcpy(e->value, str); + strcpy(e->value, sv); e->reg_value = (regex_t*)pkg_malloc(sizeof(regex_t)); if (!e->reg_value) { @@ -137,8 +142,8 @@ expression *new_expression(char *str) return 0; } - if (regcomp(e->reg_value, str, REG_EXTENDED|REG_NOSUB|REG_ICASE) ) { - LM_ERR("bad regular expression: %s\n", str); + if (regcomp(e->reg_value, sv, REG_EXTENDED|REG_NOSUB|REG_ICASE) ) { + LM_ERR("bad regular expression: %s\n", sv); pkg_free(e->reg_value); pkg_free(e); return NULL;