[topology_hiding] fix vulnerability in TH decoding

Extra checks were added to prevent buffer overflow/underflow when decoding the TH information (in non-dialog module) extracted from the Contact hdr. This information may be subject to malicious changes from an external attacker. Credits for reporting and for the fix go to @wdoekes. The suggested fix was re-worked a bit, but the idea is the same. Fixes #2338 (cherry picked from commit 78909c3)
OpenSIPS · Jan 12, 2021 · 0a818e2 · 0a818e2
1 parent c799614
commit 0a818e2
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/modules/topology_hiding/topo_hiding_logic.c b/modules/topology_hiding/topo_hiding_logic.c
@@ -1834,14 +1834,23 @@ static int topo_no_dlg_seq_handling(struct sip_msg *msg,str *info)
 	for (i=0;i<dec_len;i++)
 		dec_buf[i] ^= topo_hiding_ct_encode_pw.s[i%topo_hiding_ct_encode_pw.len]; 
 
-	rr_buf.len=*(short *)dec_buf;
-	rr_buf.s = dec_buf + sizeof(short);
-	p = rr_buf.s + rr_buf.len;
-	ct_buf.len = *(short *)p;
-	ct_buf.s = p + sizeof(short);
-	p = ct_buf.s + ct_buf.len;
-	bind_buf.len = *(short *)p;
-	bind_buf.s = p + sizeof(short);
+	#define __extract_len_and_buf(_p, _len, _s) \
+		do { \
+			(_s).len = *(short *)p;\
+			if ((_s).len<0 || (_s).len>_len) {\
+				LM_ERR("bad length %hd in encoded contact\n", (_s).len);\
+				goto err_free_buf;\
+			}\
+			(_s).s = _p + sizeof(short);\
+			_p += sizeof(short) + (_s).len;\
+			_len -= sizeof(short) + (_s).len;\
+		} while(0)
+
+	p = dec_buf;
+	size = dec_len;
+	__extract_len_and_buf(p, size, rr_buf);
+	__extract_len_and_buf(p, size, ct_buf);
+	__extract_len_and_buf(p, size, bind_buf);
 
 	LM_DBG("extracted routes [%.*s] , ct [%.*s] and bind [%.*s]\n",
 		rr_buf.len,rr_buf.s,ct_buf.len,ct_buf.s,bind_buf.len,bind_buf.s);