TT#44251 Fix CVE-2018-16657

Improve header safe guards for Via handling Backported from kamailio version 5.1. Original commit: ad68e402ec Change-Id: Ifa94a9c471528c56da2d3e612d544b78e25785bd (cherry picked from commit f59fc78f08)
7 years ago · d87fe4653f
parent 7b9ff5a2de
commit d87fe4653f
2 changed files with 35 additions and 0 deletions
--- a/debian/patches/series
+++ b/debian/patches/series
@ -34,3 +34,4 @@ sipwise/fix_db_redis_memory_issues.patch
 # backported from 5.1 branch
 sipwise/0002-core-improve-to-header-check-guards-str-consists-of-.patch
 sipwise/fix_db_redis_manual_key_issue.patch
+upstream/0003-core-improve-header-safe-guards-for-via-handling.patch
--- a/debian/patches/upstream/0003-core-improve-header-safe-guards-for-via-handling.patch
+++ b/debian/patches/upstream/0003-core-improve-header-safe-guards-for-via-handling.patch
@ -0,0 +1,34 @@
+--- a/src/core/crc.c
+++ b/src/core/crc.c
+@@ -231,6 +231,8 @@ void crcitt_string_array( char *dst, str
+ 	ccitt = 0xFFFF;
+ 	str_len=CRC16_LEN;
+ 	for (i=0; i<size; i++ ) {
+		/* invalid str with positive length and null char pointer */
+		if( unlikely(src[i].s==NULL)) break;
+ 		c=src[i].s;
+ 		len=src[i].len;
+ 		while(len) {
+--- a/src/core/msg_translator.c
+++ b/src/core/msg_translator.c
+@@ -168,12 +168,17 @@ static int check_via_address(struct ip_a
+ 						(name->s[name->len-1]==']')&&
+ 						(strncasecmp(name->s+1, s, len)==0))
+ 				)
+-		   )
+		   ) {
+ 			return 0;
+-		else
+-
+		}
+		else {
+			if (unlikely(name->s==NULL)) {
+				LM_CRIT("invalid Via host name\n");
+				return -1;
+			}
+ 			if (strncmp(name->s, s, name->len)==0)
+ 				return 0;
+		}
+ 	}else{
+ 		LM_CRIT("could not convert ip address\n");
+ 		return -1;