parse_content_length(): Fix out-of-bounds read edge-case (OSS-Fuzz)

This patch fixes a possible off-by-one read overflow while parsing a bad Content-Length header. The error was mostly harmless, as the supplied buffer is typically much larger and is stored in PKG memory. Severity: Low Fixes OSS-Fuzz#53199
OpenSIPS · Nov 11, 2022 · a008e7c · a008e7c
1 parent b672ec9
commit a008e7c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/parser/parse_content.c b/parser/parse_content.c
@@ -267,7 +267,8 @@ char* parse_content_length( char* buffer, char* end, int* length)
 	*length = number;
 	return p;
 error:
-	LM_ERR("parse error near char [%d][%c]\n",*p,*p);
+	LM_ERR("parse error at pos %ld, dec-char: %d, start/p/end: %p/%p/%p\n",
+	       p - buffer, p < end && (end-buffer) ? *p:-1, buffer, p, end);
 	return NULL;
 }
 

diff --git a/parser/test/test_parser.c b/parser/test/test_parser.c
@@ -167,6 +167,10 @@ static const struct tts {
 		/* test for read overflow on Via header param (the @end pointer) */
 		"A  !\nV:SIP/2.0/? M;recEIVeD\n ",
 		-1,
+	}, {
+		/* test for read overflow on Content-Length parsing error (@end) */
+		"v D \xd7\r\xeeV:1\r\nl:5\r*",
+		-1,
 	},
 };