Browse code
parser: safety check for max port length in URI
- can't be longer than 5, a port being 16b value
- reported by Kevin Wojtysiak
Daniel-Constantin Mierla authored on 08/04/2013 22:18:35
Showing 1 changed files
| ... | ... |
@@ -1222,6 +1222,10 @@ int parse_uri(char* buf, int len, struct sip_uri* uri) |
| 1222 | 1222 |
goto error_bad_uri; |
| 1223 | 1223 |
break; /* do nothing, avoids a compilation warning */ |
| 1224 | 1224 |
} |
| 1225 |
+ |
|
| 1226 |
+ if(uri->port.len>5) |
|
| 1227 |
+ goto error_invalid_port; |
|
| 1228 |
+ |
|
| 1225 | 1229 |
#ifdef EXTRA_DEBUG |
| 1226 | 1230 |
/* do stuff */ |
| 1227 | 1231 |
DBG("parsed uri:\n type=%d user=<%.*s>(%d)\n passwd=<%.*s>(%d)\n"
|
| ... | ... |
@@ -1285,6 +1289,10 @@ error_bad_port: |
| 1285 | 1289 |
*p, state, (int)(p-buf), ZSW(buf), (int)(p-buf), |
| 1286 | 1290 |
len, ZSW(buf), len); |
| 1287 | 1291 |
goto error_exit; |
| 1292 |
+error_invalid_port: |
|
| 1293 |
+ DBG("parse_uri: bad port in uri: [%.*s] in <%.*s>\n",
|
|
| 1294 |
+ uri->port.len, uri->port.s, len, ZSW(buf)); |
|
| 1295 |
+ goto error_exit; |
|
| 1288 | 1296 |
error_bad_uri: |
| 1289 | 1297 |
DBG("parse_uri: bad uri, state %d"
|
| 1290 | 1298 |
" parsed: <%.*s> (%d) / <%.*s> (%d)\n", |