parse_msg(): Fix heap buffer overflow edge-case (OSS-Fuzz)

This patch fixes a SIP message parsing error log which could lead to an unsafe printing of a non-NULL terminated string. Fortunately, the OpenSIPS PKG memory allocator minimizes the severity of this overflow, thanks to its pre-allocated, large chunk of heap memory. Severity: Low Fixes OSS-Fuzz#52204
OpenSIPS · Oct 8, 2022 · 2a6f8c6 · 2a6f8c6
1 parent 837263b
commit 2a6f8c6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/parser/msg_parser.c b/parser/msg_parser.c
@@ -247,7 +247,8 @@ char* get_hdr_field(char* buf, char* end, struct hdr_field* hdr)
 				if (match){
 					match++;
 				}else {
-					LM_ERR("bad body for <%s>(%d)\n", hdr->name.s, hdr->type);
+					LM_ERR("bad body for <%.*s>(%d)\n",
+					         hdr->name.len, hdr->name.s, hdr->type);
 					tmp=end;
 					goto error_bad_hdr;
 				}

diff --git a/parser/test/test_parser.c b/parser/test/test_parser.c
@@ -151,12 +151,14 @@ static const struct tts {
 		/* test for read overflows on EoH parsing */
 		"e \xff\xff\xff\xff     \xff\n\xff\xff  ",
 		-1,
-	},
-
-	{
+	}, {
 		/* test for read overflows on To header param parsing */
 		"d  \x02\x80\0\nt\0:G;150=\"a8",
 		-1,
+	}, {
+		/* test for read overflows on bad header body (no \n ending) */
+		"m  r\nu:c \x1b\r   : ]",
+		-1,
 	},
 
 	{"\0", 0},
@@ -173,7 +175,7 @@ void test_parse_msg(void)
 		msg.buf = (char *)tset[i].tmsg;
 		msg.len = strlen(msg.buf);
 
-		ok(parse_msg(msg.buf, msg.len, &msg) == tset[i].tres, "parse-msg-0");
+		ok(parse_msg(msg.buf, msg.len, &msg) == tset[i].tres, "parse-msg-t%d", i);
 	}
 }