Module: kamailio Branch: 5.0 Commit: 1ecc88431777f0013aa29cbcccc041168002dea5 URL: https://github.com/kamailio/kamailio/commit/1ecc88431777f0013aa29cbcccc0411… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2017-09-15T14:46:29+02:00 core: tcp_read_headers() safety checks for parsed pointer - reset if it is out of read buffer range and the state is H_SKIP_EMPTY (cherry picked from commit f47f42ac12ad111b3bad52aa2d495fbed5ef395d) --- Modified: src/core/tcp_read.c --- Diff: https://github.com/kamailio/kamailio/commit/1ecc88431777f0013aa29cbcccc0411… Patch: https://github.com/kamailio/kamailio/commit/1ecc88431777f0013aa29cbcccc0411… --- diff --git a/src/core/tcp_read.c b/src/core/tcp_read.c index 7014353c62..818bc52b7f 100644 --- a/src/core/tcp_read.c +++ b/src/core/tcp_read.c @@ -428,7 +428,7 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags) r->state=(newstate); break; \ crlf_default_skip_case; \ } - + #define change_state_case(state0, upper, lower, newstate)\ case state0: \ change_state(upper, lower, newstate); \ @@ -437,6 +437,22 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags) r=&c->req; + if(r->parsed<r->buf || r->parsed>r->buf+r->b_size) { + if(r->parsed<r->buf && (unsigned char)r->state==H_SKIP_EMPTY) { + /* give it a chance to parse from beginning */ + LM_WARN("resetting parsed pointer (buf:%p parsed:%p bsize:%u)\n", + r->buf, r->parsed, r->b_size); + r->parsed = r->buf; + } else { + LM_ERR("out of bounds parsed pointer (buf:%p parsed:%p bsize:%u)\n", + r->buf, r->parsed, r->b_size); + r->parsed = r->buf; + r->content_len=0; + r->error=TCP_REQ_BAD_LEN; + r->state=H_SKIP; /* skip state now */ + return -1; + } + } /* if we still have some unparsed part, parse it first, don't do the read*/ if (unlikely(r->parsed<r->pos)){ bytes=0;