[OpenSIPS-Devel] [OpenSIPS/opensips] 0c2e70: lib/csv: Fix some memleak corner-cases (reported b...

Mon Oct 10 15:13:32 UTC 2022

  Branch: refs/heads/3.2
  Home:   https://github.com/OpenSIPS/opensips
  Commit: 0c2e70058fe3e5f5071ce4677017cb3eaf2511c3
      https://github.com/OpenSIPS/opensips/commit/0c2e70058fe3e5f5071ce4677017cb3eaf2511c3
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M lib/csv.c

  Log Message:
  -----------
  lib/csv: Fix some memleak corner-cases (reported by OSS-Fuzz)

Fixes OSS-Fuzz#39925

(cherry picked from commit ff34d213cad9c2b24460aecc206520bac5411bdc)

  Commit: c46af85cadd91a05cbb52687ab27f94ae79b3aa6
      https://github.com/OpenSIPS/opensips/commit/c46af85cadd91a05cbb52687ab27f94ae79b3aa6
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_uri.c

  Log Message:
  -----------
  parse_uri: Complete the fix for undefined bitwise left-shift (OSS-Fuzz)

The default auto-cast to (int) is not enough, as a value such as
255 << 24 can still overflow the 31 value bits...

Fixes OSS-Fuzz#51542

(cherry picked from commit e0d90ec107484051e6c769056036447361c5724d)

  Commit: 7e12f00dc0f1d1638a78fa792074c1a46db269bd
      https://github.com/OpenSIPS/opensips/commit/7e12f00dc0f1d1638a78fa792074c1a46db269bd
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_uri.c

  Log Message:
  -----------
  parse_uri: Parse the port into an unsigned integer (OSS-Fuzz)

Fixes OSS-Fuzz#51605

(cherry picked from commit b4a72a5f96f5726afa48854ad0850fe14f78909d)

  Commit: 973b04d8805d9e1b73833eba682790fcd7d0e56c
      https://github.com/OpenSIPS/opensips/commit/973b04d8805d9e1b73833eba682790fcd7d0e56c
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_hname2.c
    M parser/test/test_parser.c

  Log Message:
  -----------
  parse_msg(): Fix out-of-bounds read edge-case (OSS-Fuzz)

Also add a unit test suite for parse_msg().

Severity: low
Fixes OSS-Fuzz#39802

(cherry picked from commit 66898d8208d158d95a27f1a76078a29bd1e08d7e)

  Commit: ff17c36863b4582f597f3750444c12e7ce323cc8
      https://github.com/OpenSIPS/opensips/commit/ff17c36863b4582f597f3750444c12e7ce323cc8
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_hname2.c

  Log Message:
  -----------
  Fix rare UB on left-shift signed int overflow

By default, most commonly used compilers *define* some behaviour when
this overflow occurs, such that the program will continue normally,
without any negative consequences.

Severity: Minor
Fixes OSS-Fuzz#40201

(cherry picked from commit 2ba963b0c5e2b6705a3f28ce44e57b248988a103)

  Commit: bab0ab5dc6211636b1481a265959b88735cac778
      https://github.com/OpenSIPS/opensips/commit/bab0ab5dc6211636b1481a265959b88735cac778
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_to.c
    M parser/test/test_parser.c

  Log Message:
  -----------
  parse_to_param(): Fix out-of-bounds read edge-case (OSS-Fuzz)

Severity: Low
Fixes OSS-Fuzz#41073

(cherry picked from commit 90aa25e64f36b22fbcae9aae910257b43f81641f)

  Commit: 9aa1033b9598f85d88a9bdd1b12d0cb15b0ca940
      https://github.com/OpenSIPS/opensips/commit/9aa1033b9598f85d88a9bdd1b12d0cb15b0ca940
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_to.c

  Log Message:
  -----------
  parse_to_param(): Rework previous fix (OSS-Fuzz)

Invoking strlen() on a non NULL-terminated buffer is equally bad,
possibly even worse.  Instead, simply rely on the @end parameter being
correct, which is an assumption already made by the current code of the
function.

Fixes OSS-Fuzz#41073

(cherry picked from commit 51b908f8fde0aa2eac8dbcfff319281625d6f3f2)

  Commit: 1d314b2ad07046e3a80b0c1de59daab3cd4e08f2
      https://github.com/OpenSIPS/opensips/commit/1d314b2ad07046e3a80b0c1de59daab3cd4e08f2
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_content.c

  Log Message:
  -----------
  parse_content_length(): Fix integer overflow edge-case (OSS-Fuzz)

This completes commit 7cab422e2f, where it was still possible to cause
an integer overflow even after the fix, with input such as 2147483609,
due to missing parentheses in the number equation.

Fixes OSS-Fuzz#52112

(cherry picked from commit 837263b47dcb33909b109b5cc050c1ab4a6c64a2)

  Commit: 204092b4110ba76f2b99f05bf31c5d278fc76730
      https://github.com/OpenSIPS/opensips/commit/204092b4110ba76f2b99f05bf31c5d278fc76730
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/msg_parser.c
    M parser/test/test_parser.c

  Log Message:
  -----------
  parse_msg(): Fix heap buffer overflow edge-case (OSS-Fuzz)

This patch fixes a SIP message parsing error log which could lead to an
unsafe printing of a non-NULL terminated string.  Fortunately, the
OpenSIPS PKG memory allocator minimizes the severity of this overflow,
thanks to its pre-allocated, large chunk of heap memory.

Severity: Low
Fixes OSS-Fuzz#52204

(cherry picked from commit 2a6f8c67aa15ebf507cc9ff2bd881d771858fed7)

Compare: https://github.com/OpenSIPS/opensips/compare/35e2ed8bbae9...204092b4110b