Changeset 2505 for pjproject/trunk/pjsip/src/pjsip/sip_parser.c

Timestamp:

Mar 12, 2009 11:25:11 AM (15 years ago)

Author:

bennylp

Message:

Initial fixes for ticket #747: bugs in parsing SIP torture messages (RFC 4475):

• SIP version components may be separated by whitespaces (e.g. "SIP / 2.0")
• parsing of mangled header when for unknown/generic header
• Via parameters were parsed with paramchar rather than token
• handling NULL character inside quoted string

Some torture messages have been added in the Python test.

File:

• pjproject/trunk/pjsip/src/pjsip/sip_parser.c (modified) (10 diffs)

pjproject/trunk/pjsip/src/pjsip/sip_parser.c

@@ -54 +54 @@
  */
 #define GENERIC_URI_CHARS   "#?;:@&=+-_.!~*'()%$,/" "%"
-
-#define PJSIP_VERSION           "SIP/2.0"
 
 #define UNREACHED(expr)
@@ -894 +892 @@
 }
 
+/* SIP version */
+static void parse_sip_version(pj_scanner *scanner)
+{
+    pj_str_t SIP = { "SIP", 3 };
+    pj_str_t V2 = { "2.0", 3 };
+    pj_str_t sip, version;
+
+    pj_scan_get( scanner, &pconst.pjsip_ALPHA_SPEC, &sip);
+    if (pj_scan_get_char(scanner) != '/')
+        on_syntax_error(scanner);
+    pj_scan_get_n( scanner, 3, &version);
+    if (pj_stricmp(&sip, &SIP) || pj_stricmp(&version, &V2))
+        on_syntax_error(scanner);
+}
+
+static pj_bool_t is_next_sip_version(pj_scanner *scanner)
+{
+    pj_str_t SIP = { "SIP", 3 };
+    pj_str_t sip;
+    int c;
+
+    c = pj_scan_peek(scanner, &pconst.pjsip_ALPHA_SPEC, &sip);
+    /* return TRUE if it is "SIP" followed by "/" or space.
+     * we include space since the "/" may be separated by space,
+     * although this would mean it would return TRUE if it is a
+     * request and the method is "SIP"!
+     */
+    return c && (c=='/' || c==' ' || c=='\t') && pj_stricmp(&sip, &SIP)==0;
+}
+
 /* Internal function to parse SIP message */
 static pjsip_msg *int_parse_msg( pjsip_parse_ctx *ctx,
@@ -927 +955 @@
 
         /* Parse request or status line */
-        if (pj_scan_stricmp_alnum( scanner, PJSIP_VERSION, 7) == 0) {
+        if (is_next_sip_version(scanner)) {
             msg = pjsip_msg_create(pool, PJSIP_RESPONSE_MSG);
             int_parse_status_line( scanner, &msg->line.status );
@@ -1126 +1154 @@
 
 
-/* Parse parameter (";" pname ["=" pvalue]) in header. */
+/* Parse parameter (";" pname ["=" pvalue]) in SIP header. */
 static void int_parse_param( pj_scanner *scanner, pj_pool_t *pool,
                              pj_str_t *pname, pj_str_t *pvalue,
@@ -1514 +1542 @@
 
     req_line->uri = int_parse_uri(scanner, pool, PJ_TRUE);
-    if (pj_scan_stricmp_alnum( scanner, PJSIP_VERSION, 7) != 0)
-        PJ_THROW( PJSIP_SYN_ERR_EXCEPTION);
-    pj_scan_advance_n (scanner, 7, 1);
+    parse_sip_version(scanner);
     pj_scan_get_newline( scanner );
 }
@@ -1526 +1552 @@
     pj_str_t token;
 
-    if (pj_scan_stricmp_alnum(scanner, PJSIP_VERSION, 7) != 0)
-        PJ_THROW(PJSIP_SYN_ERR_EXCEPTION);
-    pj_scan_advance_n( scanner, 7, 1);
-
+    parse_sip_version(scanner);
     pj_scan_get( scanner, &pconst.pjsip_DIGIT_SPEC, &token);
     status_line->code = pj_strtoul(&token);
@@ -1619 +1642 @@
 /* Parse generic string header. */
 static void parse_generic_string_hdr( pjsip_generic_string_hdr *hdr,
-                                      pj_scanner *scanner )
-{
-    if (pj_cis_match(&pconst.pjsip_NOT_NEWLINE, *scanner->curptr))
+                                      pjsip_parse_ctx *ctx)
+{
+    pj_scanner *scanner = ctx->scanner;
+
+    hdr->hvalue.slen = 0;
+
+    /* header may be mangled hence the loop */
+    while (pj_cis_match(&pconst.pjsip_NOT_NEWLINE, *scanner->curptr)) {
+        pj_str_t next, tmp;
+
         pj_scan_get( scanner, &pconst.pjsip_NOT_NEWLINE, &hdr->hvalue);
-    else
-        hdr->hvalue.slen = 0;
+        if (IS_NEWLINE(*scanner->curptr))
+            break;
+        /* mangled, get next fraction */
+        pj_scan_get( scanner, &pconst.pjsip_NOT_NEWLINE, &next);
+        /* concatenate */
+        tmp.ptr = (char*)pj_pool_alloc(ctx->pool, 
+                                       hdr->hvalue.slen + next.slen + 2);
+        tmp.slen = 0;
+        pj_strcpy(&tmp, &hdr->hvalue);
+        pj_strcat2(&tmp, " ");
+        pj_strcat(&tmp, &next);
+        tmp.ptr[tmp.slen] = '\0';
+
+        hdr->hvalue = tmp;
+    }
 
     parse_hdr_end(scanner);
@@ -1935 +1978 @@
 
         //Parse with PARAM_CHAR instead, to allow IPv6
+        //No, back to using int_parse_param() for the "`" character!
         //int_parse_param( scanner, pool, &pname, &pvalue, 0);
-        /* Get ';' character */
-        pj_scan_get_char(scanner);
-
-        parse_param_imp(scanner, pool, &pname, &pvalue, 
-                        &pconst.pjsip_PARAM_CHAR_SPEC,
-                        &pconst.pjsip_PARAM_CHAR_SPEC_ESC, 0);
+        //parse_param_imp(scanner, pool, &pname, &pvalue, 
+        //              &pconst.pjsip_TOKEN_SPEC,
+        //              &pconst.pjsip_TOKEN_SPEC_ESC, 0);
+        int_parse_param(scanner, pool, &pname, &pvalue, 0);
 
         if (!parser_stricmp(pname, pconst.pjsip_BRANCH_STR) && pvalue.slen) {
@@ -2076 +2118 @@
             pj_list_insert_before(first, hdr);
 
-        if (pj_scan_stricmp_alnum( scanner, PJSIP_VERSION "/", 8) != 0)
-            PJ_THROW(PJSIP_SYN_ERR_EXCEPTION);
-
-        pj_scan_advance_n( scanner, 8, 1);
+        parse_sip_version(scanner);
+        if (pj_scan_get_char(scanner) != '/')
+            on_syntax_error(scanner);
 
         pj_scan_get( scanner, &pconst.pjsip_TOKEN_SPEC, &hdr->transport);
@@ -2120 +2161 @@
 
     hdr = pjsip_generic_string_hdr_create(ctx->pool, NULL, NULL);
-    parse_generic_string_hdr(hdr, ctx->scanner);
+    parse_generic_string_hdr(hdr, ctx);
     return (pjsip_hdr*)hdr;