Browse code

modules/ims_isc: several safety checks

- fixed potential buffer overflow
- fixed potential crash if regcomp fails

Camille Oudot authored on 11/06/2013 14:34:49
Showing 1 changed files
... ...
@@ -57,15 +57,32 @@ static int isc_check_headers(ims_spt *spt, struct hdr_field *headers) {
57 57
 	char buf[256];
58 58
 	regex_t header_comp, content_comp;
59 59
 	i = headers;
60
+
61
+    if (spt->sip_header.header.len >= sizeof(buf)) {
62
+        LM_ERR("Header name \"%.*s\" is to long to be processed (max %d bytes)\n", spt->sip_header.header.len, spt->sip_header.header.s, (int) (sizeof(buf) - 1));
63
+        return FALSE;
64
+    }
65
+    if (spt->sip_header.content.len >= sizeof(buf)) {
66
+        LM_ERR("Header content \"%.*s\" is to long to be processed (max %d bytes)\n", spt->sip_header.content.len, spt->sip_header.content.s, (int) (sizeof(buf) - 1));
67
+        return FALSE;
68
+    }
69
+
60 70
 	/* compile the regex for header name */
61 71
 	memcpy(buf, spt->sip_header.header.s, spt->sip_header.header.len);
62 72
 	buf[spt->sip_header.header.len] = 0;
63
-	regcomp(&(header_comp), buf, REG_ICASE | REG_EXTENDED);
73
+	if (regcomp(&(header_comp), buf, REG_ICASE | REG_EXTENDED) != 0) {
74
+	    LM_ERR("Error compiling the following regexp for header name: %.*s\n", spt->sip_header.header.len, spt->sip_header.header.s);
75
+	    return FALSE;
76
+	}
64 77
 
65 78
 	/* compile the regex for content */
66 79
 	memcpy(buf, spt->sip_header.content.s, spt->sip_header.content.len);
67 80
 	buf[spt->sip_header.content.len] = 0;
68
-	regcomp(&(content_comp), buf, REG_ICASE | REG_EXTENDED);
81
+	if(regcomp(&(content_comp), buf, REG_ICASE | REG_EXTENDED) != 0) {
82
+	    LM_ERR("Error compiling the following regexp for header content: %.*s\n", spt->sip_header.content.len, spt->sip_header.content.s);
83
+	    regfree(&(header_comp));
84
+	    return FALSE;
85
+	}
69 86
 
70 87
 	LM_DBG("isc_check_headers: Looking for Header[%.*s(%d)] %.*s \n",
71 88
 			spt->sip_header.header.len, spt->sip_header.header.s, spt->sip_header.type, spt->sip_header.content.len, spt->sip_header.content.s);