From: <arc...@us...> - 2012-12-22 01:50:31
|
Revision: 612 http://sourceforge.net/p/sipp/code/612 Author: arcady-91 Date: 2012-12-22 01:50:29 +0000 (Sat, 22 Dec 2012) Log Message: ----------- CVE-2008-2085 fix - thanks to Peter Lemenkov Modified Paths: -------------- sipp/trunk/THANKS sipp/trunk/call.cpp Modified: sipp/trunk/THANKS =================================================================== --- sipp/trunk/THANKS 2012-12-22 01:50:24 UTC (rev 611) +++ sipp/trunk/THANKS 2012-12-22 01:50:29 UTC (rev 612) @@ -23,6 +23,7 @@ Dmitry Semyonov Jordan Walbesser Ken Crowell +Peter Lemenkov SIPp also uses code originally by Aaron Turner (send_packets.c) and L Peter Deutsch (md5.c). Modified: sipp/trunk/call.cpp =================================================================== --- sipp/trunk/call.cpp 2012-12-22 01:50:24 UTC (rev 611) +++ sipp/trunk/call.cpp 2012-12-22 01:50:29 UTC (rev 612) @@ -133,17 +133,28 @@ char pattern[] = "c=IN IP4 "; char *begin, *end; char ip[32]; - begin = strstr(msg, pattern); + char *my_msg = strdup(msg); + + if (!my_msg) { + return INADDR_NONE; + } + begin = strstr(my_msg, pattern); if (!begin) { + free(my_msg); /* Can't find what we're looking at -> return no address */ return INADDR_NONE; } begin += sizeof("c=IN IP4 ") - 1; end = strstr(begin, "\r\n"); - if (!end) + if (!end) { + free(my_msg); return INADDR_NONE; + } + *end = '\0'; memset(ip, 0, 32); - strncpy(ip, begin, end - begin); + strncpy(ip, begin, sizeof(ip) - 1); + ip[sizeof(ip) - 1] = '\0'; + free(my_msg); return inet_addr(ip); } @@ -156,20 +167,30 @@ char pattern[] = "c=IN IP6 "; char *begin, *end; char ip[128]; + char *my_msg = strdup(msg); memset(addr, 0, sizeof(*addr)); memset(ip, 0, 128); - begin = strstr(msg, pattern); + if (!my_msg) { + return 0; + } + begin = strstr(my_msg,pattern); if (!begin) { + free(my_msg); /* Can't find what we're looking at -> return no address */ return 0; } begin += sizeof("c=IN IP6 ") - 1; end = strstr(begin, "\r\n"); - if (!end) + if (!end) { + free(my_msg); return 0; - strncpy(ip, begin, end - begin); + } + *end = '\0'; + strncpy(ip, begin, sizeof(ip) -1); + ip[sizeof(ip) - 1] = '\0'; + free(my_msg); if (!inet_pton(AF_INET6, ip, addr)) { return 0; } @@ -196,17 +217,27 @@ ERROR("Internal error: Undefined media pattern %d\n", 3); } - begin = strstr(msg, pattern); + char *my_msg = strdup(msg); + if (!my_msg) { + return 0; + } + begin = strstr(my_msg, pattern); if (!begin) { + free(my_msg); /* m=audio not found */ return 0; } begin += strlen(pattern) - 1; end = strstr(begin, "\r\n"); - if (!end) + if (!end) { + free(my_msg); ERROR("get_remote_port_media: no CRLF found"); + } + *end = '\0'; memset(number, 0, sizeof(number)); strncpy(number, begin, sizeof(number) - 1); + number[sizeof(number) - 1] = '\0'; + free(my_msg); return atoi(number); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |