From 69069125c15decd14dabf0d419c608a9d9021f05 Mon Sep 17 00:00:00 2001 From: Liong Sauw Ming Date: Tue, 10 Feb 2015 03:20:04 +0000 Subject: Re #1782 (misc): Prevent buffer overrun in pjsip message/uri printing Thanks to Sagi Iltus for the patch git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4979 74dad513-b988-da41-8d7b-12977e46ad98 --- pjsip/include/pjsip/print_util.h | 6 ++++++ pjsip/src/pjsip/sip_msg.c | 4 ++-- pjsip/src/pjsip/sip_uri.c | 24 ++++++++++++------------ 3 files changed, 20 insertions(+), 14 deletions(-) (limited to 'pjsip') diff --git a/pjsip/include/pjsip/print_util.h b/pjsip/include/pjsip/print_util.h index 6d82aad7..d2ee3aea 100644 --- a/pjsip/include/pjsip/print_util.h +++ b/pjsip/include/pjsip/print_util.h @@ -20,6 +20,12 @@ #ifndef __PJSIP_PRINT_H__ #define __PJSIP_PRINT_H__ +#define copy_advance_char_check(buf,chr) \ + do { \ + if (1 >= (endbuf-buf)) return -1; \ + *buf++ = chr; \ + } while (0) + #define copy_advance_check(buf,str) \ do { \ if ((str).slen >= (endbuf-buf)) return -1; \ diff --git a/pjsip/src/pjsip/sip_msg.c b/pjsip/src/pjsip/sip_msg.c index ab2c435a..eca20f65 100644 --- a/pjsip/src/pjsip/sip_msg.c +++ b/pjsip/src/pjsip/sip_msg.c @@ -1220,8 +1220,8 @@ static int pjsip_contact_hdr_print( pjsip_contact_hdr *hdr, char *buf, char *endbuf = buf + size; copy_advance(buf, (*hname)); - *buf++ = ':'; - *buf++ = ' '; + copy_advance_char_check(buf, ':'); + copy_advance_char_check(buf, ' '); printed = pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, hdr->uri, buf, endbuf-buf); diff --git a/pjsip/src/pjsip/sip_uri.c b/pjsip/src/pjsip/sip_uri.c index 0870186c..3e7857a3 100644 --- a/pjsip/src/pjsip/sip_uri.c +++ b/pjsip/src/pjsip/sip_uri.c @@ -121,10 +121,10 @@ PJ_DEF(pj_ssize_t) pjsip_param_print_on( const pjsip_param *param_list, PJ_UNUSED_ARG(pname_spec); do { - *buf++ = (char)sep; + copy_advance_char_check(buf, (char)sep); copy_advance_escape(buf, p->name, (*pname_spec)); if (p->value.slen) { - *buf++ = '='; + copy_advance_char_check(buf, '='); if (*p->value.ptr == '"') copy_advance(buf, p->value); else @@ -265,7 +265,7 @@ static pj_ssize_t pjsip_url_print( pjsip_uri_context_e context, /* Print scheme ("sip:" or "sips:") */ scheme = pjsip_uri_get_scheme(url); copy_advance_check(buf, *scheme); - *buf++ = ':'; + copy_advance_char_check(buf, ':'); /* Print "user:password@", if any. */ if (url->user.slen) { @@ -274,11 +274,11 @@ static pj_ssize_t pjsip_url_print( pjsip_uri_context_e context, &pc->pjsip_USER_SPEC; copy_advance_escape(buf, url->user, *spec); if (url->passwd.slen) { - *buf++ = ':'; + copy_advance_char_check(buf, ':'); copy_advance_escape(buf, url->passwd, pc->pjsip_PASSWD_SPEC); } - *buf++ = '@'; + copy_advance_char_check(buf, '@'); } /* Print host. */ @@ -304,7 +304,7 @@ static pj_ssize_t pjsip_url_print( pjsip_uri_context_e context, if (endbuf - buf < 10) return -1; - *buf++ = ':'; + copy_advance_char_check(buf, ':'); printed = pj_utoa(url->port, buf); buf += printed; } @@ -566,13 +566,13 @@ static pj_ssize_t pjsip_name_addr_print(pjsip_uri_context_e context, if (context != PJSIP_URI_IN_REQ_URI) { if (name->display.slen) { - if (endbuf-buf < 8) return -1; - *buf++ = '"'; + if (endbuf-buf < name->display.slen + 3) return -1; + copy_advance_char_check(buf, '"'); copy_advance(buf, name->display); - *buf++ = '"'; - *buf++ = ' '; + copy_advance_char_check(buf, '"'); + copy_advance_char_check(buf, ' '); } - *buf++ = '<'; + copy_advance_char_check(buf, '<');; } printed = pjsip_uri_print(context,uri, buf, size-(buf-startbuf)); @@ -581,7 +581,7 @@ static pj_ssize_t pjsip_name_addr_print(pjsip_uri_context_e context, buf += printed; if (context != PJSIP_URI_IN_REQ_URI) { - *buf++ = '>'; + copy_advance_char_check(buf, '>'); } *buf = '\0'; -- cgit v1.2.3