#2056 closed defect (fixed)
Add validity checking for numeric header values — at Version 2
Reported by: | riza | Owned by: | bennylp |
---|---|---|---|
Priority: | normal | Milestone: | release-2.7.1 |
Component: | pjlib | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: | no |
Description (last modified by riza)
Parsing the numeric header fields like cseq, ttl, port, etc. all
had the potential to overflow, either causing unintended values to
be captured or, if the values were subsequently converted back to
strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values.
To address this, new "strto" functions
have been created that do range checking and those functions are
used wherever possible in the parser.
This patch will:
- Created pjlib/include/limits.h and pjlib/include/compat/limits.h to either include the system limits.h or define common numeric limits if there is no system limits.h.
- Created strtoi_validate functions in sip_parser that take bounds and on failure call the on_str_parse_error function which prints an error message and calls PJ_THROW.
- Updated sip_parser to validate the numeric fields.
- Fixed an issue in sip_transport that prevented error messages from being properly displayed.
- Added "volatile" to some variables referenced in PJ_CATCH blocks as the optimizer was sometimes optimizing them away.
- Fixed length calculation in sip_transaction/create_tsx_key_2543 to account for signed ints being 11 characters, not 9.
Thanks to:
- Youngsung Kim at LINE Corporation for the report
- George Joseph <gjoseph@digium.com> for the patch
Change History (2)
comment:1 Changed 7 years ago by riza
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 7 years ago by riza
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.
In 5682: