about summary refs log tree commit diff
path: root/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch')
-rw-r--r--pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch74
1 files changed, 74 insertions, 0 deletions
diff --git a/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch
new file mode 100644
index 0000000000000..29ea997fee464
--- /dev/null
+++ b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch
@@ -0,0 +1,74 @@
+Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to
+apply cleanly to 1.7.0
+
+diff --git a/src/sip.c b/src/sip.c
+index 20a2d81..f2dde5c 100644
+--- a/src/sip.c
++++ b/src/sip.c
+@@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet)
+     uint32_t plen = packet_payloadlen(packet);
+     u_char payload[MAX_SIP_PAYLOAD];
+     regmatch_t pmatch[4];
+-    char cl_header[10];
++    char cl_header[MAX_CONTENT_LENGTH_SIZE];
+     int content_len;
+     int bodylen;
+ 
+@@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet)
+         return VALIDATE_PARTIAL_SIP;
+     }
+ 
+-    strncpy(cl_header, (const char *)payload +  pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so);
++    // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1
++    int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so;
++    if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) {
++        cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1;
++    }
++
++    strncpy(cl_header, (const char *)payload +  pmatch[2].rm_so, cl_match_len);
++    cl_header[cl_match_len] = '\0'; // Ensuring null termination
++
+     content_len = atoi(cl_header);
+ 
+     // Check if we have Body separator field
+@@ -756,7 +764,7 @@ void
+ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
+ {
+     regmatch_t pmatch[4];
+-    char warning[10];
++    char warning[MAX_WARNING_SIZE];
+ 
+      // Reason text
+      if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) {
+@@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
+ 
+      // Warning code
+      if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) {
+-         strncpy(warning, (const char *)payload +  pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so);
+-         msg->call->warning = atoi(warning);
++
++        // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1
++        int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so;
++        if (warning_match_len > MAX_WARNING_SIZE - 1) {
++            warning_match_len = MAX_WARNING_SIZE - 1;
++        }
++        strncpy(warning, (const char *)payload +  pmatch[1].rm_so, warning_match_len);
++        warning[warning_match_len] = '\0'; // Ensuring null termination
++
++        msg->call->warning = atoi(warning);
+      }
+ }
+ 
+diff --git a/src/sip.h b/src/sip.h
+index 78afdc2..a9fd06e 100644
+--- a/src/sip.h
++++ b/src/sip.h
+@@ -45,6 +45,8 @@
+ #include "hash.h"
+ 
+ #define MAX_SIP_PAYLOAD 10240
++#define MAX_CONTENT_LENGTH_SIZE 10
++#define MAX_WARNING_SIZE 10
+ 
+ //! Shorter declaration of sip_call_list structure
+ typedef struct sip_call_list sip_call_list_t;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-17 13:36:40 +0000