Permalink
Browse files

seas: safety check for target buffer size before copying message in e…

…ncode_msg()

- avoid buffer overflow for large SIP messages
- reported by Stelios Tsampas
  • Loading branch information...
miconda committed Feb 12, 2016
1 parent f39d144 commit f50c9c853e7809810099c970780c30b0765b0643
Showing with 6 additions and 0 deletions.
  1. +6 −0 modules/seas/encode_msg.c
@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
return -1;
if(parse_headers(msg,HDR_EOH_F,0)<0){
myerror="in parse_headers";
goto error;
@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
/*j+=k;*/
/*pkg_free(payload2);*/
/*now we copy the actual message after the headers-meta-section*/
if(len < j + msg->len + 1) {
LM_ERR("not enough space to encode sip message\n");
return -1;
}
memcpy(&payload[j],msg->buf,msg->len);
LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
j=htons(j);

0 comments on commit f50c9c8

Please sign in to comment.