From dce23af786559873071b3ea5e4641e4ecdca5ee6 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Wed, 27 Jan 2010 09:46:03 +0300 Subject: [PATCH 2/3] Fix for CVE-2008-2085. Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- call.cpp | 41 +++++++++++++++++++++++++++++++++-------- 1 files changed, 33 insertions(+), 8 deletions(-) diff --git a/call.cpp b/call.cpp index 6830304..408f23c 100644 --- a/call.cpp +++ b/call.cpp @@ -133,17 +133,26 @@ uint32_t get_remote_ip_media(char *msg) char pattern[] = "c=IN IP4 "; char *begin, *end; char ip[32]; - begin = strstr(msg, pattern); + char *tmp = strdup(msg); + + if(!tmp) return INADDR_NONE; + begin = strstr(tmp, pattern); if (!begin) { + free(tmp); /* Can't find what we're looking at -> return no address */ return INADDR_NONE; } begin += sizeof("c=IN IP4 ") - 1; end = strstr(begin, "\r\n"); - if (!end) + if (!end){ + free(tmp); return INADDR_NONE; + } + *end = 0; memset(ip, 0, 32); - strncpy(ip, begin, end - begin); + strncpy(ip, begin, sizeof(ip) - 1); + ip[sizeof(ip) - 1] = 0; + free(tmp); return inet_addr(ip); } @@ -156,20 +165,28 @@ uint8_t get_remote_ipv6_media(char *msg, struct in6_addr *addr) char pattern[] = "c=IN IP6 "; char *begin, *end; char ip[128]; + char *tmp = strdup(msg); memset(addr, 0, sizeof(*addr)); memset(ip, 0, 128); - begin = strstr(msg, pattern); + if(!tmp) return 0; + begin = strstr(tmp, pattern); if (!begin) { + free(tmp); /* Can't find what we're looking at -> return no address */ return 0; } begin += sizeof("c=IN IP6 ") - 1; end = strstr(begin, "\r\n"); - if (!end) + if (!end){ + free(tmp); return 0; - strncpy(ip, begin, end - begin); + } + *end = 0; + strncpy(ip, begin, sizeof(ip) - 1); + ip[sizeof(ip) - 1] = 0; + free(tmp); if (!inet_pton(AF_INET6, ip, addr)) { return 0; } @@ -196,17 +213,25 @@ uint16_t get_remote_port_media(char *msg, int pattype) ERROR("Internal error: Undefined media pattern %d\n", 3); } - begin = strstr(msg, pattern); + char *tmp = strdup(msg); + if(!tmp) return 0; + begin = strstr(tmp, pattern); if (!begin) { + free(tmp); /* m=audio not found */ return 0; } begin += strlen(pattern) - 1; end = strstr(begin, "\r\n"); - if (!end) + if (!end){ + free(tmp); ERROR("get_remote_port_media: no CRLF found"); + } + *end = 0; memset(number, 0, sizeof(number)); strncpy(number, begin, sizeof(number) - 1); + number[sizeof(number) - 1] = 0; + free(tmp); return atoi(number); } -- 1.6.2.5