MT#64562 core: tcp read - checks for MSRP first line

NGCP-Flow: mr11.5 Upstream backport of a major security fix. Change-Id: I1dce6243a7670755ffbf4d6c2d2792991b94cd9e
2 months ago · dfe0f34764
parent 3e6d01519e
commit dfe0f34764
2 changed files with 37 additions and 0 deletions
--- a/debian/patches/series
+++ b/debian/patches/series
@ -31,6 +31,7 @@ sipwise/sca-debug.patch
 sipwise/sca-fix-notify-after-bye.patch
 sipwise/sca-add-pai_avp-parameter.patch
 ## upstream 5.7
+upstream/core_tcp_read_check_for_first_msrp_line.patch
 #
 ## upstream master
 sipwise/pv_headers-rework-pvh_remove_header_param-take-two.patch
--- a/debian/patches/upstream/core_tcp_read_check_for_first_msrp_line.patch
+++ b/debian/patches/upstream/core_tcp_read_check_for_first_msrp_line.patch
@ -0,0 +1,36 @@
+--- a/src/core/tcp_read.c
+++ b/src/core/tcp_read.c
+@@ -1035,11 +1035,31 @@ int tcp_read_headers(struct tcp_connecti
+ 					/* locate transaction id in first line
+ 					 * -- first line exists, that's why we are here */
+ 					mfline = q_memchr(r->start, '\n', r->pos - r->start);
+-					mtransid.s = q_memchr(
+-							r->start + 5 /* 'MSRP ' */, ' ', mfline - r->start);
+					if(mfline == NULL || mfline - r->start < 8) {
+						r->error = TCP_READ_ERROR;
+						r->state = H_SKIP; /* skip now */
+						goto skip;
+					}
+					mtransid.s = q_memchr(r->start + 5 /* 'MSRP ' */, ' ',
+							mfline - r->start - 5);
+					if(mtransid.s == NULL) {
+						r->error = TCP_READ_ERROR;
+						r->state = H_SKIP; /* skip now */
+						goto skip;
+					}
+ 					mtransid.len = mtransid.s - r->start - 5;
+					if(mtransid.len <= 0) {
+						r->error = TCP_READ_ERROR;
+						r->state = H_SKIP; /* skip now */
+						goto skip;
+					}
+ 					mtransid.s = r->start + 5;
+ 					trim(&mtransid);
+					if(mtransid.len <= 0) {
+						r->error = TCP_READ_ERROR;
+						r->state = H_SKIP; /* skip now */
+						goto skip;
+					}
+ 					if(memcmp(mtransid.s,
+ 							   p - 1 /*\r*/ - 1 /* '+'|'#'|'$' */
+ 									   - mtransid.len,