From 6e4aa8b3f4929ee25e8078f9f1a3b5d422e12bae Mon Sep 17 00:00:00 2001 From: "Alfred E. Heggestad" Date: Sun, 15 Jan 2012 14:58:41 +0000 Subject: [PATCH] patch: SIP tcp receive; startline max 8192, TCP reasm buffer max 64K --- src/sip/msg.c | 3 ++- src/sip/transp.c | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/sip/msg.c b/src/sip/msg.c index ee28dbf..1af13b1 100644 --- a/src/sip/msg.c +++ b/src/sip/msg.c @@ -20,6 +20,7 @@ enum { HDR_HASH_SIZE = 32, + STARTLINE_MAX = 8192, }; @@ -266,7 +267,7 @@ int sip_msg_decode(struct sip_msg **msgp, struct mbuf *mb) if (re_regex(p, l, "[^ \t\r\n]+ [^ \t\r\n]+ [^\r\n]*[\r]*[\n]1", &x, &y, &z, NULL, &e) || x.p != (char *)mbuf_buf(mb)) - return EBADMSG; + return (l > STARTLINE_MAX) ? EBADMSG : ENODATA; msg = mem_zalloc(sizeof(*msg), destructor); if (!msg) diff --git a/src/sip/transp.c b/src/sip/transp.c index a38bdf2..7572145 100644 --- a/src/sip/transp.c +++ b/src/sip/transp.c @@ -26,6 +26,7 @@ enum { TCP_ACCEPT_TIMEOUT = 32, TCP_KEEPALIVE_TIMEOUT = 10, TCP_KEEPALIVE_INTVAL = 120, + TCP_BUFSIZE_MAX = 65536, }; @@ -339,6 +340,11 @@ static void tcp_recv_handler(struct mbuf *mb, void *arg) goto out; conn->mb->pos = pos; + + if (mbuf_get_left(conn->mb) > TCP_BUFSIZE_MAX) { + err = EOVERFLOW; + goto out; + } } else { conn->mb = mem_ref(mb); @@ -414,7 +420,7 @@ static void tcp_recv_handler(struct mbuf *mb, void *arg) sip_recv(conn->sip, msg); mem_deref(msg); - if (end == conn->mb->end) { + if (end <= conn->mb->end) { conn->mb = mem_deref(conn->mb); break; }