pi_http: avoid POST argument OOB access

Reported-by: Haruto Kimura (Stella)
(cherry picked from commit 3ac1244805d96ab5e717a9c5e6c1c3af453efb18)

Author: razvancrainea

modules/httpd/httpd_proc.c

@@ -290,13 +290,18 @@ static MHD_RET post_iterator (void *cls,
 	LM_DBG("[%.*s]->[%.*s]\n", key_len, key, (int)size, value);
 
 	kv = (str_str_t*)slinkedl_append(pr->p_list,
-						sizeof(str_str_t) + key_len + size);
+						sizeof(str_str_t) + key_len + size + 1);
+	if (!kv) {
+		LM_ERR("oom\n");
+		pr->status = -1; return MHD_NO;
+	}
 	p = (char*)(kv + 1);
 	kv->key.len = key_len; kv->key.s = p;
 	memcpy(p, key, key_len);
 	p += key_len;
 	kv->val.len = size; kv->val.s = p;
 	memcpy(p, value, size);
+	p[size] = '\0';
 	LM_DBG("inserting element pr=[%p] pp=[%p] p_list=[%p]\n",
 				pr, pr->pp, pr->p_list);
 
@@ -567,14 +572,19 @@ MHD_RET answer_to_connection (void *cls, struct MHD_Connection *connection,
 					/* Save the entire body as the '1' key */
 					kv = (str_str_t*)slinkedl_append(pr->p_list,
 							sizeof(str_str_t) + 1 +
-							*upload_data_size);
+							*upload_data_size + 1);
+					if (!kv) {
+						LM_ERR("oom\n");
+						goto mhd_no;
+					}
 					p = (char*)(kv + 1);
 					kv->key.len = 1; kv->key.s = p;
 					memcpy(p, "1", 1);
 					p += 1;
 					kv->val.len = *upload_data_size;
 					kv->val.s = p;
 					memcpy(p, upload_data, *upload_data_size);
+					p[*upload_data_size] = '\0';
 					break;
 				default:
 					LM_ERR("Unhandled data for ContentType [%d]\n",

modules/pi_http/http_fnc.c

@@ -2510,7 +2510,7 @@ int getVal(db_val_t *val, db_type_t val_type, db_key_t key, ph_db_table_t *table
 	struct sip_uri uri;
 	char c;
 
-	for(i=0;i<=table->cols_size;i++){
+	for(i=0;i<table->cols_size;i++){
 		if(table->cols[i].type==val_type &&
 			table->cols[i].field.len==key->len &&
 			strncmp(table->cols[i].field.s,key->s,key->len)==0){
@@ -3230,4 +3230,3 @@ int ph_run_pi_cmd(int mod, int cmd,
 	if(q_vals) pkg_free(q_vals);
 	return 0;
 }
-