Ticket #2056 (closed defect: fixed)

Opened 2 weeks ago

Last modified 5 days ago

Add validity checking for numeric header values

Reported by: riza Owned by: bennylp
Priority: normal Milestone: release-2.7.1
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by riza) (diff)

Parsing the numeric header fields like cseq, ttl, port, etc. all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values. To address this, new "strto" functions have been created that do range checking and those functions are used wherever possible in the parser.

This patch will:

  • Created pjlib/include/limits.h and pjlib/include/compat/limits.h to either include the system limits.h or define common numeric limits if there is no system limits.h.
  • Created strtoi_validate functions in sip_parser that take bounds and on failure call the on_str_parse_error function which prints an error message and calls PJ_THROW.
  • Updated sip_parser to validate the numeric fields.
  • Fixed an issue in sip_transport that prevented error messages from being properly displayed.
  • Added "volatile" to some variables referenced in PJ_CATCH blocks as the optimizer was sometimes optimizing them away.
  • Fixed length calculation in sip_transaction/create_tsx_key_2543 to account for signed ints being 11 characters, not 9.

Thanks to:

  • Youngsung Kim at LINE Corporation for the report
  • George Joseph <gjoseph@digium.com> for the patch

Change History

comment:1 Changed 2 weeks ago by riza

  • Status changed from new to closed
  • Resolution set to fixed

In 5682:

Closed #2056: Add validity checking for numeric header values.

comment:2 Changed 5 days ago by riza

  • Description modified (diff)
Note: See TracTickets for help on using tickets.