parse_via(): Fix out-of-bounds read edge-case (OSS-Fuzz)

This patch fixes a possible off-by-one read overflow while parsing the Via buffer. Even so, the error was mostly harmless, as the supplied buffer is typically much larger and is guaranteed to be NULL-terminated (see udp_read_req(), for example). Severity: Low Fixes OSS-Fuzz#52326 (cherry picked from commit 5e9f72d)
OpenSIPS · Nov 8, 2022 · 44a73d3 · 44a73d3
1 parent d9942fb
commit 44a73d3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/parser/parse_via.c b/parser/parse_via.c
@@ -1665,7 +1665,7 @@ char* parse_via(char* buffer, char* end, struct via_body *vbody)
 	tmp++;
 	c_nest=0;
 	/*state should always be F_HOST here*/;
-	for(;*tmp;tmp++){
+	for(;tmp<end;tmp++){
 		switch(*tmp){
 		case ' ':
 		case '\t':
@@ -2084,6 +2084,8 @@ char* parse_via(char* buffer, char* end, struct via_body *vbody)
 						goto  parse_error;
 				}
 				break;
+			case '\0':
+				break;
 
 			default:
 				switch(state){

diff --git a/parser/test/test_parser.c b/parser/test/test_parser.c
@@ -159,6 +159,10 @@ static const struct tts {
 		/* test for read overflows on bad header body (no \n ending) */
 		"m  r\nu:c \x1b\r   : ]",
 		-1,
+	}, {
+		/* test for read overflow on Via header (the @end pointer) */
+		"Q e  M\nV:SIP/2.0  /1P 4rr;TT;TT;TT;TT;TT;TT;T\xd2;TT;",
+		-1,
 	},
 
 	{"\0", 0},