-
-
Notifications
You must be signed in to change notification settings - Fork 14.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
…2024-3120-r23.11 [23.11] sngrep: add patch for CVE-2024-3119 & CVE-2024-3120
- Loading branch information
Showing
2 changed files
with
75 additions
and
0 deletions.
There are no files selected for viewing
74 changes: 74 additions & 0 deletions
74
pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to | ||
| apply cleanly to 1.7.0 | ||
|
|
||
| diff --git a/src/sip.c b/src/sip.c | ||
| index 20a2d81..f2dde5c 100644 | ||
| --- a/src/sip.c | ||
| +++ b/src/sip.c | ||
| @@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet) | ||
| uint32_t plen = packet_payloadlen(packet); | ||
| u_char payload[MAX_SIP_PAYLOAD]; | ||
| regmatch_t pmatch[4]; | ||
| - char cl_header[10]; | ||
| + char cl_header[MAX_CONTENT_LENGTH_SIZE]; | ||
| int content_len; | ||
| int bodylen; | ||
|
|
||
| @@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet) | ||
| return VALIDATE_PARTIAL_SIP; | ||
| } | ||
|
|
||
| - strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so); | ||
| + // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1 | ||
| + int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so; | ||
| + if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) { | ||
| + cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1; | ||
| + } | ||
| + | ||
| + strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, cl_match_len); | ||
| + cl_header[cl_match_len] = '\0'; // Ensuring null termination | ||
| + | ||
| content_len = atoi(cl_header); | ||
|
|
||
| // Check if we have Body separator field | ||
| @@ -756,7 +764,7 @@ void | ||
| sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload) | ||
| { | ||
| regmatch_t pmatch[4]; | ||
| - char warning[10]; | ||
| + char warning[MAX_WARNING_SIZE]; | ||
|
|
||
| // Reason text | ||
| if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) { | ||
| @@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload) | ||
|
|
||
| // Warning code | ||
| if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) { | ||
| - strncpy(warning, (const char *)payload + pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so); | ||
| - msg->call->warning = atoi(warning); | ||
| + | ||
| + // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1 | ||
| + int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so; | ||
| + if (warning_match_len > MAX_WARNING_SIZE - 1) { | ||
| + warning_match_len = MAX_WARNING_SIZE - 1; | ||
| + } | ||
| + strncpy(warning, (const char *)payload + pmatch[1].rm_so, warning_match_len); | ||
| + warning[warning_match_len] = '\0'; // Ensuring null termination | ||
| + | ||
| + msg->call->warning = atoi(warning); | ||
| } | ||
| } | ||
|
|
||
| diff --git a/src/sip.h b/src/sip.h | ||
| index 78afdc2..a9fd06e 100644 | ||
| --- a/src/sip.h | ||
| +++ b/src/sip.h | ||
| @@ -45,6 +45,8 @@ | ||
| #include "hash.h" | ||
|
|
||
| #define MAX_SIP_PAYLOAD 10240 | ||
| +#define MAX_CONTENT_LENGTH_SIZE 10 | ||
| +#define MAX_WARNING_SIZE 10 | ||
|
|
||
| //! Shorter declaration of sip_call_list structure | ||
| typedef struct sip_call_list sip_call_list_t; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters