From f894b551d8b721f03d46e93b3c08c6c39787517b Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sun, 14 Jan 2018 18:59:36 +0100 Subject: [PATCH] kamailio-3.x: add fix for CVE-2016-2385 Fixes heap-based buffer overflow in the encode_msg function. Signed-off-by: Sebastian Kemper --- net/kamailio-3.x/Makefile | 2 +- .../patches/150-CVE-2016-2385.patch | 22 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 net/kamailio-3.x/patches/150-CVE-2016-2385.patch diff --git a/net/kamailio-3.x/Makefile b/net/kamailio-3.x/Makefile index 1020992..3290dce 100644 --- a/net/kamailio-3.x/Makefile +++ b/net/kamailio-3.x/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=kamailio3 PKG_VERSION:=3.3.7 -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE_URL:=http://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/ PKG_SOURCE:=kamailio-$(PKG_VERSION)$(PKG_VARIANT)_src.tar.gz diff --git a/net/kamailio-3.x/patches/150-CVE-2016-2385.patch b/net/kamailio-3.x/patches/150-CVE-2016-2385.patch new file mode 100644 index 0000000..eb7fbe3 --- /dev/null +++ b/net/kamailio-3.x/patches/150-CVE-2016-2385.patch @@ -0,0 +1,22 @@ +--- a/modules_k/seas/encode_msg.c ++++ b/modules_k/seas/encode_msg.c +@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char + + if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN) + return -1; ++ + if(parse_headers(msg,HDR_EOH_F,0)<0){ + myerror="in parse_headers"; + goto error; +@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char + /*j+=k;*/ + /*pkg_free(payload2);*/ + /*now we copy the actual message after the headers-meta-section*/ ++ ++ if(len < j + msg->len + 1) { ++ LM_ERR("not enough space to encode sip message\n"); ++ return -1; ++ } + memcpy(&payload[j],msg->buf,msg->len); + LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j); + j=htons(j); -- 2.30.2