Browse code

utils: Fix buffer overflow; do not NULL-terminate HTTP result

Fix buffer overflow in the `write_function` that takes the resulting
data from libcurl. The function was trying to NULL terminate the
string, but this could result in overwriting the buffer by one byte
when size*nmemb == 1.
This also caused some memory corruptions, reported on sr-dev.

Reported by: Travis Cross <tc@traviscross.com>

Carsten Bock authored on 28/08/2015 08:56:37
Showing 1 changed files
... ...
@@ -2,7 +2,7 @@
2 2
  * script functions of utils module
3 3
  *
4 4
  * Copyright (C) 2008 Juha Heinanen
5
- * Copyright (C) 2013 Carsten Bock, ng-voice GmbH
5
+ * Copyright (C) 2013-2015 Carsten Bock, ng-voice GmbH
6 6
  *
7 7
  * This file is part of Kamailio, a free SIP server.
8 8
  *
... ...
@@ -55,7 +55,7 @@ size_t write_function( void *ptr, size_t size, size_t nmemb, void *stream_ptr)
55 55
 	http_res_stream_t *stream = (http_res_stream_t *) stream_ptr;
56 56
 
57 57
 	stream->buf = (char *) pkg_realloc(stream->buf, stream->curr_size + 
58
-			(size * nmemb) + 1);
58
+			(size * nmemb));
59 59
 
60 60
 	if (stream->buf == NULL) {
61 61
 		LM_ERR("cannot allocate memory for stream\n");
... ...
@@ -64,15 +64,12 @@ size_t write_function( void *ptr, size_t size, size_t nmemb, void *stream_ptr)
64 64
 
65 65
 	memcpy(&stream->buf[stream->pos], (char *) ptr, (size * nmemb));
66 66
 
67
-	stream->curr_size += ((size * nmemb) + 1);
67
+	stream->curr_size += (size * nmemb);
68 68
 	stream->pos += (size * nmemb);
69 69
 
70
-	stream->buf[stream->pos + 1] = '\0';
71
-
72 70
 	return size * nmemb;
73 71
 }
74 72
 
75
-
76 73
 /* 
77 74
  * Performs http_query and saves possible result (first body line of reply)
78 75
  * to pvar.