Opened 7 years ago

Last modified 7 years ago

#2063 closed enhancement

Add more documentation in PJSIP's parser to prevent stack buffer overflow — at Version 1

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.8
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming)

This ticket will add more documentation in the description of the APIs in pjsip's sip_parser.c, in particular the requirement that the buffer must be NULL terminated and the size parameter must not include the NULL terminator.

Also in the ticket:

  • Modify the spec of pjlib-util's scanner. Originally, the spec said that the scanner will add the NULL terminator right AFTER the end of the buffer, however it turns out that the current implementation didn't do that, probably for a good reason, i.e. to avoid buffer overwrite. So, we change the spec instead, to require that the input buffer passed to the scanner needs to be NULL terminated by app.
  • Add assertion in pjlib-util's scanner to ensure that the buffer is NULL terminated.
    If when using tools such as Valgrind or AddressSanitizer, you get a buffer read overflow warning in this assertion line, it means that you incorrectly passed the buffer length (it should be buffer length - 1).
  • Add robustness check in sip_multipart to prevent buffer overflow

Change History (1)

comment:1 Changed 7 years ago by ming

  • Description modified (diff)
Note: See TracTickets for help on using tickets.