pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to
apply cleanly to 1.7.0

diff --git a/src/sip.c b/src/sip.c
index 20a2d81..f2dde5c 100644
--- a/src/sip.c
+++ b/src/sip.c
@@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet)
     uint32_t plen = packet_payloadlen(packet);
     u_char payload[MAX_SIP_PAYLOAD];
     regmatch_t pmatch[4];
-    char cl_header[10];
+    char cl_header[MAX_CONTENT_LENGTH_SIZE];
     int content_len;
     int bodylen;
 
@@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet)
         return VALIDATE_PARTIAL_SIP;
     }
 
-    strncpy(cl_header, (const char *)payload +  pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so);
+    // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1
+    int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so;
+    if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) {
+        cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1;
+    }
+
+    strncpy(cl_header, (const char *)payload +  pmatch[2].rm_so, cl_match_len);
+    cl_header[cl_match_len] = '\0'; // Ensuring null termination
+
     content_len = atoi(cl_header);
 
     // Check if we have Body separator field
@@ -756,7 +764,7 @@ void
 sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
 {
     regmatch_t pmatch[4];
-    char warning[10];
+    char warning[MAX_WARNING_SIZE];
 
      // Reason text
      if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) {
@@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
 
      // Warning code
      if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) {
-         strncpy(warning, (const char *)payload +  pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so);
-         msg->call->warning = atoi(warning);
+
+        // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1
+        int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so;
+        if (warning_match_len > MAX_WARNING_SIZE - 1) {
+            warning_match_len = MAX_WARNING_SIZE - 1;
+        }
+        strncpy(warning, (const char *)payload +  pmatch[1].rm_so, warning_match_len);
+        warning[warning_match_len] = '\0'; // Ensuring null termination
+
+        msg->call->warning = atoi(warning);
      }
 }
 
diff --git a/src/sip.h b/src/sip.h
index 78afdc2..a9fd06e 100644
--- a/src/sip.h
+++ b/src/sip.h
@@ -45,6 +45,8 @@
 #include "hash.h"
 
 #define MAX_SIP_PAYLOAD 10240
+#define MAX_CONTENT_LENGTH_SIZE 10
+#define MAX_WARNING_SIZE 10
 
 //! Shorter declaration of sip_call_list structure
 typedef struct sip_call_list sip_call_list_t;