1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to
apply cleanly to 1.7.0
diff --git a/src/sip.c b/src/sip.c
index 20a2d81..f2dde5c 100644
--- a/src/sip.c
+++ b/src/sip.c
@@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet)
uint32_t plen = packet_payloadlen(packet);
u_char payload[MAX_SIP_PAYLOAD];
regmatch_t pmatch[4];
- char cl_header[10];
+ char cl_header[MAX_CONTENT_LENGTH_SIZE];
int content_len;
int bodylen;
@@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet)
return VALIDATE_PARTIAL_SIP;
}
- strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so);
+ // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1
+ int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so;
+ if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) {
+ cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1;
+ }
+
+ strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, cl_match_len);
+ cl_header[cl_match_len] = '\0'; // Ensuring null termination
+
content_len = atoi(cl_header);
// Check if we have Body separator field
@@ -756,7 +764,7 @@ void
sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
{
regmatch_t pmatch[4];
- char warning[10];
+ char warning[MAX_WARNING_SIZE];
// Reason text
if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) {
@@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
// Warning code
if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) {
- strncpy(warning, (const char *)payload + pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so);
- msg->call->warning = atoi(warning);
+
+ // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1
+ int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so;
+ if (warning_match_len > MAX_WARNING_SIZE - 1) {
+ warning_match_len = MAX_WARNING_SIZE - 1;
+ }
+ strncpy(warning, (const char *)payload + pmatch[1].rm_so, warning_match_len);
+ warning[warning_match_len] = '\0'; // Ensuring null termination
+
+ msg->call->warning = atoi(warning);
}
}
diff --git a/src/sip.h b/src/sip.h
index 78afdc2..a9fd06e 100644
--- a/src/sip.h
+++ b/src/sip.h
@@ -45,6 +45,8 @@
#include "hash.h"
#define MAX_SIP_PAYLOAD 10240
+#define MAX_CONTENT_LENGTH_SIZE 10
+#define MAX_WARNING_SIZE 10
//! Shorter declaration of sip_call_list structure
typedef struct sip_call_list sip_call_list_t;
|