diff --git a/src/sip/msg.c b/src/sip/msg.c index ee28dbf..1af13b1 100644 --- a/src/sip/msg.c +++ b/src/sip/msg.c @@ -20,6 +20,7 @@ enum { HDR_HASH_SIZE = 32, + STARTLINE_MAX = 8192, }; @@ -266,7 +267,7 @@ int sip_msg_decode(struct sip_msg **msgp, struct mbuf *mb) if (re_regex(p, l, "[^ \t\r\n]+ [^ \t\r\n]+ [^\r\n]*[\r]*[\n]1", &x, &y, &z, NULL, &e) || x.p != (char *)mbuf_buf(mb)) - return EBADMSG; + return (l > STARTLINE_MAX) ? EBADMSG : ENODATA; msg = mem_zalloc(sizeof(*msg), destructor); if (!msg) diff --git a/src/sip/transp.c b/src/sip/transp.c index a38bdf2..7572145 100644 --- a/src/sip/transp.c +++ b/src/sip/transp.c @@ -26,6 +26,7 @@ enum { TCP_ACCEPT_TIMEOUT = 32, TCP_KEEPALIVE_TIMEOUT = 10, TCP_KEEPALIVE_INTVAL = 120, + TCP_BUFSIZE_MAX = 65536, }; @@ -339,6 +340,11 @@ static void tcp_recv_handler(struct mbuf *mb, void *arg) goto out; conn->mb->pos = pos; + + if (mbuf_get_left(conn->mb) > TCP_BUFSIZE_MAX) { + err = EOVERFLOW; + goto out; + } } else { conn->mb = mem_ref(mb); @@ -414,7 +420,7 @@ static void tcp_recv_handler(struct mbuf *mb, void *arg) sip_recv(conn->sip, msg); mem_deref(msg); - if (end == conn->mb->end) { + if (end <= conn->mb->end) { conn->mb = mem_deref(conn->mb); break; }