Module: sip-router Branch: 4.0 Commit: 56ba8ea8b1f1f26ccc36dfb073e1559eca4d77b1 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=56ba8ea… Author: Camille Oudot <camille.oudot(a)orange.com> Committer: Camille Oudot <camille.oudot(a)orange.com> Date: Tue Jun 11 16:34:49 2013 +0200 modules/ims_isc: several safety checks - fixed potential buffer overflow - fixed potential crash if regcomp fails --- modules/ims_isc/checker.c | 21 +++++++++++++++++++-- 1 files changed, 19 insertions(+), 2 deletions(-) diff --git a/modules/ims_isc/checker.c b/modules/ims_isc/checker.c index fd44f06..31921a4 100644 --- a/modules/ims_isc/checker.c +++ b/modules/ims_isc/checker.c @@ -57,15 +57,32 @@ static int isc_check_headers(ims_spt *spt, struct hdr_field *headers) { char buf[256]; regex_t header_comp, content_comp; i = headers; + + if (spt->sip_header.header.len >= sizeof(buf)) { + LM_ERR("Header name \"%.*s\" is to long to be processed (max %d bytes)\n", spt->sip_header.header.len, spt->sip_header.header.s, (int) (sizeof(buf) - 1)); + return FALSE; + } + if (spt->sip_header.content.len >= sizeof(buf)) { + LM_ERR("Header content \"%.*s\" is to long to be processed (max %d bytes)\n", spt->sip_header.content.len, spt->sip_header.content.s, (int) (sizeof(buf) - 1)); + return FALSE; + } + /* compile the regex for header name */ memcpy(buf, spt->sip_header.header.s, spt->sip_header.header.len); buf[spt->sip_header.header.len] = 0; - regcomp(&(header_comp), buf, REG_ICASE | REG_EXTENDED); + if (regcomp(&(header_comp), buf, REG_ICASE | REG_EXTENDED) != 0) { + LM_ERR("Error compiling the following regexp for header name: %.*s\n", spt->sip_header.header.len, spt->sip_header.header.s); + return FALSE; + } /* compile the regex for content */ memcpy(buf, spt->sip_header.content.s, spt->sip_header.content.len); buf[spt->sip_header.content.len] = 0; - regcomp(&(content_comp), buf, REG_ICASE | REG_EXTENDED); + if(regcomp(&(content_comp), buf, REG_ICASE | REG_EXTENDED) != 0) { + LM_ERR("Error compiling the following regexp for header content: %.*s\n", spt->sip_header.content.len, spt->sip_header.content.s); + regfree(&(header_comp)); + return FALSE; + } LM_DBG("isc_check_headers: Looking for Header[%.*s(%d)] %.*s \n", spt->sip_header.header.len, spt->sip_header.header.s, spt->sip_header.type, spt->sip_header.content.len, spt->sip_header.content.s);