Skip to content

Commit f50c9c8

Browse files
committed
seas: safety check for target buffer size before copying message in encode_msg()
- avoid buffer overflow for large SIP messages - reported by Stelios Tsampas
1 parent f39d144 commit f50c9c8

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

Diff for: modules/seas/encode_msg.c

+6
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
158158

159159
if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
160160
return -1;
161+
161162
if(parse_headers(msg,HDR_EOH_F,0)<0){
162163
myerror="in parse_headers";
163164
goto error;
@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
266267
/*j+=k;*/
267268
/*pkg_free(payload2);*/
268269
/*now we copy the actual message after the headers-meta-section*/
270+
271+
if(len < j + msg->len + 1) {
272+
LM_ERR("not enough space to encode sip message\n");
273+
return -1;
274+
}
269275
memcpy(&payload[j],msg->buf,msg->len);
270276
LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
271277
j=htons(j);

0 commit comments

Comments
 (0)