Browse code

pdb: fix SIGABRT in case of too long uris

kudos for this one go to Verena Kahmann
buf in pdb_msg_dbg should correctly accomodate for pdb_bdy size
pdb_hdr + pdb_bdy should add to pdb_hdr.length (max 255)

Lucian Balaceanu authored on 30/10/2018 08:44:11
Showing 2 changed files
... ...
@@ -41,7 +41,8 @@
41 41
 #define OTHER_CARRIERID 1000
42 42
 #define MAX_CARRIERID 1000
43 43
 #define NULL_CARRIERID -1001
44
-#define PAYLOADSIZE 256
44
+/* hdr size + PAYLOADSIZE must add to 255 (uint8_t pdb_hdr.length) */
45
+#define PAYLOADSIZE 249
45 46
 
46 47
 
47 48
 #define IS_VALID_PDB_CARRIERID(id) ((id>=MIN_PDB_CARRIERID) && (id<=MAX_PDB_CARRIERID))
... ...
@@ -160,7 +160,7 @@ static struct server_list_t *server_list;
160 160
 /* debug function for the new client <-> server protocol */
161 161
 static void pdb_msg_dbg(struct pdb_msg msg, char *dbg_msg) {
162 162
     int i;
163
-    char buf[PAYLOADSIZE];
163
+    char buf[PAYLOADSIZE*3+1];
164 164
     char *ptr = buf;
165 165
 
166 166
     for (i = 0; i < msg.hdr.length - sizeof(msg.hdr); i++) {
... ...
@@ -279,7 +279,7 @@ static int pdb_query(struct sip_msg *_msg, struct multiparam_t *_number, struct
279 279
 
280 280
 	/* prepare request */
281 281
 	reqlen = number.len + 1; /* include null termination */
282
-	if (reqlen > sizeof(struct pdb_bdy)) {
282
+	if (reqlen > PAYLOADSIZE) {
283 283
 		LM_ERR("number too long '%.*s'.\n", number.len, number.s);
284 284
 		return -1;
285 285
 	}
... ...
@@ -319,6 +319,7 @@ static int pdb_query(struct sip_msg *_msg, struct multiparam_t *_number, struct
319 319
             break;
320 320
     }
321 321
 
322
+        memset(&msg,0,sizeof(struct pdb_msg));
322 323
 	/* wait for response */
323 324
 	for (;;) {
324 325
 		if (gettimeofday(&tnow, NULL) != 0) {