Browse code

parser: safety check for max port length in URI

- can't be longer than 5, a port being 16b value
- reported by Kevin Wojtysiak
(cherry picked from commit 13fd48f89555f5421e8285669e303bcefe44f149)

Daniel-Constantin Mierla authored on 08/04/2013 22:18:35 • Henning Westerholt committed on 19/04/2013 08:57:57
Showing 1 changed files
... ...
@@ -1207,6 +1207,10 @@ int parse_uri(char* buf, int len, struct sip_uri* uri)
1207 1207
 			goto error_bad_uri;
1208 1208
 			break; /* do nothing, avoids a compilation warning */
1209 1209
 	}
1210
+
1211
+	if(uri->port.len>5)
1212
+		goto error_invalid_port;
1213
+
1210 1214
 #ifdef EXTRA_DEBUG
1211 1215
 	/* do stuff */
1212 1216
 	DBG("parsed uri:\n type=%d user=<%.*s>(%d)\n passwd=<%.*s>(%d)\n"
... ...
@@ -1270,6 +1274,10 @@ error_bad_port:
1270 1274
 		*p, state, (int)(p-buf), ZSW(buf), (int)(p-buf),
1271 1275
 		len, ZSW(buf), len);
1272 1276
 	goto error_exit;
1277
+error_invalid_port:
1278
+	DBG("parse_uri: bad port in uri: [%.*s] in <%.*s>\n",
1279
+			uri->port.len, uri->port.s, len, ZSW(buf));
1280
+	goto error_exit;
1273 1281
 error_bad_uri:
1274 1282
 	DBG("parse_uri: bad uri,  state %d"
1275 1283
 		" parsed: <%.*s> (%d) / <%.*s> (%d)\n",