Browse code

modules/ims_registrar_scscf: prevent possible segfault on contact param with no name

jaybeepee authored on 03/10/2016 13:50:34
Showing 1 changed files
... ...
@@ -115,19 +115,21 @@ static inline unsigned int calc_buf_len(impurecord_t* impurec) {
115 115
             }
116 116
             tmp = c->params;
117 117
             while (tmp) {
118
-                if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) {
119
-                    tmp = tmp->next;
120
-                    continue;
121
-                }
122
-                if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) {
123
-                    tmp = tmp->next;
124
-                    continue;
125
-                }
126
-                if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1, "xpires", 6)) {
127
-                    tmp = tmp->next;
128
-                    continue;
129
-                }
130
-                len += tmp->name.len;
118
+				if (tmp->name.len > 0 && tmp->name.s) {
119
+					if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) {
120
+						tmp = tmp->next;
121
+						continue;
122
+					}
123
+					if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) {
124
+						tmp = tmp->next;
125
+						continue;
126
+					}
127
+					if ((tmp->name.s[0] == 'E' || tmp->name.s[0] == 'e') && tmp->name.len == 7 && !memcmp(tmp->name.s + 1, "xpires", 6)) {
128
+						tmp = tmp->next;
129
+						continue;
130
+					}
131
+					len += tmp->name.len + 1 /*separator ; */;
132
+				}
131 133
                 if (tmp->body.len > 0) {
132 134
                     len = len + 1/*=*/ + 2/*2 x "*/;
133 135
                     len += tmp->body.len;
... ...
@@ -437,6 +439,7 @@ int build_contact(impurecord_t* impurec, contact_for_header_t** contact_header)
437 437
 
438 438
     tmp_contact_header->data_len = calc_buf_len(impurec);
439 439
     tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len);
440
+	memset(tmp_contact_header->buf, 0, tmp_contact_header->data_len);
440 441
 
441 442
     if (tmp_contact_header->data_len) {
442 443
         p = tmp_contact_header->buf;
... ...
@@ -496,21 +499,24 @@ int build_contact(impurecord_t* impurec, contact_for_header_t** contact_header)
496 496
                 /* put in the rest of the params except Q and received */
497 497
                 tmp = c->params;
498 498
                 while (tmp) {
499
-                    if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) {
500
-                        tmp = tmp->next;
501
-                        continue;
502
-                    }
503
-                    if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) {
504
-                        tmp = tmp->next;
505
-                        continue;
506
-                    }
507
-                    if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') && tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) {
508
-                        tmp = tmp->next;
509
-                        continue;
510
-                    }
511
-                    *p++ = ';';
512
-                    memcpy(p, tmp->name.s, tmp->name.len);
513
-                    p += tmp->name.len;
499
+					if (tmp->name.len>0 && tmp->name.s) {
500
+						if ((tmp->name.s[0] == 'R' || tmp->name.s[0]=='r') && tmp->name.len == 8 && !memcmp(tmp->name.s+1, "eceived", 7)) {
501
+							tmp = tmp->next;
502
+							continue;
503
+						}
504
+						if ((tmp->name.s[0] == 'Q' || tmp->name.s[0]=='q') && tmp->name.len == 1) {
505
+							tmp = tmp->next;
506
+							continue;
507
+						}
508
+						if ((tmp->name.s[0] == 'E' || tmp->name.s[0]=='e') && tmp->name.len == 7 && !memcmp(tmp->name.s+1, "xpires", 6)) {
509
+							tmp = tmp->next;
510
+							continue;
511
+						}
512
+						*p++ = ';';
513
+						memcpy(p, tmp->name.s, tmp->name.len);
514
+						p += tmp->name.len;
515
+					}
516
+                    
514 517
                     if (tmp->body.len > 0) {
515 518
                         *p++ = '=';
516 519
                         *p++ = '\"';