Skip to content

Commit

Permalink
seas: safety check for target buffer size before copying message in e…
Browse files Browse the repository at this point in the history 
…ncode_msg()

- avoid buffer overflow for large SIP messages
- reported by Stelios Tsampas
  • Loading branch information
@miconda
miconda committed Feb 12, 2016
1 parent f39d144 commit f50c9c8
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions modules/seas/encode_msg.c
View file
Expand Up @@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)

if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
return -1;

if(parse_headers(msg,HDR_EOH_F,0)<0){
myerror="in parse_headers";
goto error;
Expand Down Expand Up @@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
/*j+=k;*/
/*pkg_free(payload2);*/
/*now we copy the actual message after the headers-meta-section*/

if(len < j + msg->len + 1) {
LM_ERR("not enough space to encode sip message\n");
return -1;
}
memcpy(&payload[j],msg->buf,msg->len);
LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
j=htons(j);
Expand Down

0 comments on commit f50c9c8

Please sign in to comment.