TT#159750 pv_headers: fix possible mem. overflow issue and wrong size string

Change-Id: Ia35d3f475fde6dbb53f709991b72aa8a06b3ad77
4 years ago · 809ae67243
parent a988420434
commit 809ae67243
2 changed files with 79 additions and 1 deletions
--- a/debian/patches/series
+++ b/debian/patches/series
@ -67,9 +67,10 @@ sipwise/db_redis_graceful_scan.patch
 sipwise/db_redis_sscan.patch
 sipwise/db_redis_sscan_fix_empty_key.patch
 sipwise/kamctl-TMPDIR-config.patch
+sipwise/pv_headers-fix-build-warning.patch
+sipwise/pv_headers-use-memset.patch
 ### active development
 sipwise/lcr-stopper_mode-parameter.patch
-sipwise/pv_headers-fix-build-warning.patch
 sipwise/cfgt-improve-detection-of-dynamic-format.patch
 sipwise/cfgt-fix-memory-leaks.patch
 sipwise/cfgt-skip_unknown.patch
--- a/debian/patches/sipwise/pv_headers-use-memset.patch
+++ b/debian/patches/sipwise/pv_headers-use-memset.patch
@ -0,0 +1,77 @@
+From: Sipwise Development Team <support@sipwise.com>
+Date: Thu, 28 Apr 2022 08:54:05 +0200
+Subject: pv_headers-use-memset
+
+---
+ src/modules/pv_headers/pvh_func.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/src/modules/pv_headers/pvh_func.c b/src/modules/pv_headers/pvh_func.c
+index c2a3f98..bc415b9 100644
+--- a/src/modules/pv_headers/pvh_func.c
+++ b/src/modules/pv_headers/pvh_func.c
+@@ -383,13 +383,13 @@ int pvh_header_param_exists(struct sip_msg *msg, str *hname, str *hvalue)
+ 
+ int pvh_remove_header_param(struct sip_msg *msg, int idx, str *hname, str *elements, str *toRemove)
+ {
+	int notTarget, writtenChars;
+ 	int offset = 0;
+ 	int ret = -1;
+ 	char *next_token;
+ 	char *token;
+ 	char *result = (char*)pkg_malloc(elements->len - toRemove->len);
+-	char *t = (char*)pkg_malloc(elements->len);
+-	int maxSize = elements->len;
+	char *t = (char*)pkg_malloc(elements->len+1);
+ 
+ 	if (result == NULL || t == NULL)
+ 	{
+@@ -397,37 +397,37 @@ int pvh_remove_header_param(struct sip_msg *msg, int idx, str *hname, str *eleme
+ 		goto clean;
+ 	}
+ 
+-	snprintf(result, elements->len - toRemove->len, "%*s", elements->len - toRemove->len, "");
+-	snprintf(t, elements->len+1, "%s", elements->s);
+	memset(result, 32, elements->len - toRemove->len);
+	snprintf(t, elements->len, "%s", elements->s);
+ 
+ 	token = strtok_r(t, ", ", &next_token);
+ 	while(token)
+ 	{
+-		int notTarget = strncmp(token, toRemove->s, toRemove->len);
+		notTarget = strncmp(token, toRemove->s, toRemove->len);
+ 		if (notTarget)
+ 		{
+-			int n = snprintf(result + offset, maxSize - offset, "%s", token);
+-			if (n < 0 || n >= maxSize - offset)
+			writtenChars = snprintf(result + offset, elements->len - offset, "%s", token);
+			if (writtenChars < 0 || writtenChars >= elements->len - offset)
+ 			{
+ 				break;
+ 			}
+-			offset += n;
+			offset += writtenChars;
+ 		}
+ 		token = strtok_r(NULL, ", ", &next_token);
+-		if (token && notTarget && maxSize - offset - toRemove->len > 2)
+		if (token && notTarget && elements->len - offset - toRemove->len > 2)
+ 		{
+-			int n = snprintf(result + offset, maxSize - offset, ", ");
+-			if (n < 0 || n >= maxSize - offset)
+			writtenChars = snprintf(result + offset, elements->len - offset, ", ");
+			if (writtenChars < 0 || writtenChars >= elements->len - offset)
+ 			{
+ 				break;
+ 			}
+-			offset += n;
+			offset += writtenChars;
+ 		}
+ 	}
+ 
+ 	if (elements->len-toRemove->len > 0)
+ 	{
+-		snprintf(elements->s, elements->len, "%*s", elements->len-toRemove->len, "");
+		memset(elements->s, 32, elements->len-toRemove->len);
+ 		snprintf(elements->s, (strlen(result)%elements->len)+1, "%s", result);
+ 		elements->len = strlen(result);
+ 		ret = 1;