[OpenSIPS-Devel] [OpenSIPS/opensips] cb0680: Fix crash with REGISTER + incomplete Authorization...

[Maksym Sobolyev]

  Branch: refs/heads/3.2
  Home:   https://github.com/OpenSIPS/opensips
  Commit: cb0680ab829a76ec23c41d7f63b5dbb1b6afbd63
      https://github.com/OpenSIPS/opensips/commit/cb0680ab829a76ec23c41d7f63b5dbb1b6afbd63
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2021-09-28 (Tue, 28 Sep 2021)

  Changed paths:
    M modules/auth/api.c

  Log Message:
  -----------
  Fix crash with REGISTER + incomplete Authorization header

Avoid re-using anonymous structures outside of the block scope they were
declared in.  The compiler allows such broken code, yet it is also quick
to re-use/re-claim that memory quickly after exiting the block, leading
to stack corruption later down the road, when the "now re-used struct"
is read.

Issue discovered during OpenSIPS Security Audit 2021,
    by Alfred Farrugia & Sandro Gauci (Enable Security)

(cherry picked from commit 0fadc0a6cb130d40fba6cf36bb1399d45d0496aa)


  Commit: 4e1bb9cf6a4ff0702866d2b1e2f4fb1032715a65
      https://github.com/OpenSIPS/opensips/commit/4e1bb9cf6a4ff0702866d2b1e2f4fb1032715a65
  Author: Maksym Sobolyev <sobomax at sippysoft.com>
  Date:   2021-09-28 (Tue, 28 Sep 2021)

  Changed paths:
    M modules/auth/api.c
    M str.h

  Log Message:
  -----------
  Add str_static() macro similar to the const_str() but returning
const str *, not const str_const *. This provides useful construct
to initialize time-of-use const str * that won't go out of
scope. This is another way to address issue fixed by @liviuchircu
in the 0fadc0a6cb, one that is bit more cleaner and generates a
slightly smaller compiled code.

(cherry picked from commit ea3436b26108fe129d04b47b02dd8d60255487c3)


Compare: https://github.com/OpenSIPS/opensips/compare/83fee1c7a42f...4e1bb9cf6a4f