git:master:ca8e6540: * Fix for buffer overflow in enum_pv_query_3 for char string[17] where the boundary checks for it in is_e164 uses MAX_NUM_LEN. - sr-dev

3 Jun 2015

Module: kamailio
Branch: master
Commit: ca8e6540cd2cd31b63b192a5a3da282eb09b6c94
URL: https://github.com/kamailio/kamailio/commit/ca8e6540cd2cd31b63b192a5a3da282e...
Author: Stefan Andersson stefan.andersson@tele2.com
Committer: Stefan Andersson stefan.andersson@tele2.com
Date: 2015-06-03T10:54:25+02:00
* Fix for buffer overflow in enum_pv_query_3 for char string[17] where the boundary checks for it in is_e164 uses MAX_NUM_LEN.
* Increased the size of MAX_NUM_LEN to 33 to support the maximum number length of 32, which is what we support here on our ISUP links.
Bug: The buffer overflow bug can be triggered by calling enum_pv_query with a number that is to long eg. +1234567890123456789
---
Modified: modules/enum/enum.c
Modified: modules/enum/enum.h
---
Diff:  https://github.com/kamailio/kamailio/commit/ca8e6540cd2cd31b63b192a5a3da282e...
Patch: https://github.com/kamailio/kamailio/commit/ca8e6540cd2cd31b63b192a5a3da282e...
---

diff --git a/modules/enum/enum.c b/modules/enum/enum.c
index 3c21c2f..6439f54 100644
--- a/modules/enum/enum.c
+++ b/modules/enum/enum.c
@@ -34,7 +34,7 @@
  * based on the user part of the current Request-URI. These functions
  * assume that the Request URI user part consists of an international
  * phone number of the form +decimal-digits, where the number of digits is
- * at least 2 and at most 15. Out of this number enum_query forms a domain
+ * at least 2 and at most 32. Out of this number enum_query forms a domain
  * name, where the digits are in reverse order and separated by dots
  * followed by domain suffix that by default is "e164.arpa.". For example,
  * if the user part is +35831234567, the domain name will be
@@ -1005,7 +1005,7 @@ int enum_pv_query_3(struct sip_msg* _msg, char* _sp, char* _suffix,
    struct naptr_rdata* naptr;
    str pattern, replacement, result, new_result;
    str *suffix, *service;
-	char string[17];
+	char string[MAX_NUM_LEN];
    pv_spec_t *sp;
    pv_value_t pv_val;
diff --git a/modules/enum/enum.h b/modules/enum/enum.h
index 838caf6..1f1a509 100644
--- a/modules/enum/enum.h
+++ b/modules/enum/enum.h
@@ -35,7 +35,7 @@
#define MAX_DOMAIN_SIZE 256
-#define MAX_NUM_LEN 22
+#define MAX_NUM_LEN 33
 #define MAX_COMPONENT_SIZE (MAX_NUM_LEN * 2)  /* separator, apex, ... This simplifies checks */

    