Skip to content
Permalink
Browse files Browse the repository at this point in the history
-fixed an issue where the stack could crash if a TCP based sender sen…
…ds a Content-Length that is less that the actual SIP body transmitted

 in order to trigger this condition the SIP message body must arrive in a separate read request, either from the start or part way through the body
 and there must be data following the body in the same read.
  • Loading branch information
sgodin committed Jun 21, 2018
1 parent 878cedb commit 2cb2911
Showing 1 changed file with 35 additions and 5 deletions.
40 changes: 35 additions & 5 deletions resip/stack/ConnectionBase.cxx
Expand Up @@ -397,7 +397,7 @@ ConnectionBase::preparseNewBytes(int bytesRead)
mBufferSize = size;

DebugLog (<< "Extra bytes after message: " << overHang);
DebugLog (<< Data(mBuffer, overHang));
//DebugLog (<< Data(mBuffer, overHang));

bytesRead = overHang;
}
Expand Down Expand Up @@ -471,11 +471,36 @@ ConnectionBase::preparseNewBytes(int bytesRead)
}

mBufferPos += bytesRead;
if (mBufferPos == contentLength)
if (mBufferPos >= contentLength)
{
int overHang = mBufferPos - (int)contentLength;
char *overHangStart = mBuffer + contentLength;

mMessage->addBuffer(mBuffer);
mMessage->setBody(mBuffer, (UInt32)contentLength);
mBuffer=0;
mConnState = NewMessage;
mBuffer = 0;

if (overHang > 0)
{
// The next message has been partially read.
size_t size = overHang * 3 / 2;
if (size < ConnectionBase::ChunkSize)
{
size = ConnectionBase::ChunkSize;
}
char* newBuffer = MsgHeaderScanner::allocateBuffer((int)size);
memcpy(newBuffer, overHangStart, overHang);
mBuffer = newBuffer;
mBufferPos = 0;
mBufferSize = size;

DebugLog(<< "Extra bytes after message: " << overHang);
//DebugLog(<< Data(mBuffer, overHang));

bytesRead = overHang;
}

// .bwc. basicCheck takes up substantial CPU. Don't bother doing it
// if we're overloaded.
CongestionManager::RejectionBehavior b=mTransport->getRejectionBehaviorForIncoming();
Expand Down Expand Up @@ -515,11 +540,16 @@ ConnectionBase::preparseNewBytes(int bytesRead)
mTransport->pushRxMsgUp(mMessage);
mMessage = 0;
}
mConnState = NewMessage;

if (overHang > 0)
{
goto start;
}
}
else if (mBufferPos == mBufferSize)
{
// .bwc. We've filled our buffer; go ahead and make more room.
// .bwc. We've filled our buffer and haven't read contentLength bytes yet; go ahead and make more room.
assert(contentLength >= mBufferSize);
size_t newSize = resipMin(mBufferSize*3/2, contentLength);
char* newBuffer = 0;
try
Expand Down

1 comment on commit 2cb2911

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2018-12584 was assigned to this issue.

Please sign in to comment.