Please review this code carefully and make sure all the tests pass; I had difficulty running the test suite.
This commit has the following changes to sip_method_d in sip_parser.c, plus supporting files:
Take the size of the input string as an argument, a pattern established by other functions.
Use the minimum of this and the lengths of each method string, with null terminator subtracted, to bound strncmp.
Bounds-check n prior to use throughout the rest of sip_method_d, incrementing no further than one character off the end of the input string. Without these bounds checks it was possible for malformed input to overflow the buffer; for example:
=================================================================
==77681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000236b at pc 0x563cc24ff234 bp 0x7ffe52888f40 sp 0x7ffe52888f30
READ of size 1 at 0x60700000236b thread T0
#0 0x563cc24ff233 in sip_method_d drachtio-server/deps/sofia-sip/libsofia-sip-ua/sip/sip_parser.c:416
#1 0x563cc24f4c6b in sip_cseq_d drachtio-server/deps/sofia-sip/libsofia-sip-ua/sip/sip_basic.c:1212
#2 0x563cc247c025 in header_parse drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1132
#3 0x563cc247b9c4 in extract_header drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1071
#4 0x563cc247afb5 in extract_next drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1001
0x60700000236b is located 1 bytes to the right of 74-byte region [0x607000002320,0x60700000236a)
allocated by thread T0 here:
#0 0x7f1faa4dcb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x563cc252f2da in sub_alloc drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_alloc.c:541
#2 0x563cc252fce8 in su_alloc drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_alloc.c:960
#3 0x563cc248257d in msg_header_alloc drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:231
Please review this code carefully and make sure all the tests pass; I had difficulty running the test suite.
This commit has the following changes to
sip_method_d
insip_parser.c
, plus supporting files:null
terminator subtracted, to boundstrncmp
.n
prior to use throughout the rest ofsip_method_d
, incrementing no further than one character off the end of the input string. Without these bounds checks it was possible for malformed input to overflow the buffer; for example: