[OpenSIPS-Devel] [OpenSIPS/opensips] 267e9e: lib/csv: Fix some memleak corner-cases (reported b...

Mon Oct 10 15:15:43 UTC 2022

  Branch: refs/heads/3.1
  Home:   https://github.com/OpenSIPS/opensips
  Commit: 267e9eb64235abc50fa7cc3b3650113fc8e5922f
      https://github.com/OpenSIPS/opensips/commit/267e9eb64235abc50fa7cc3b3650113fc8e5922f
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M lib/csv.c

  Log Message:
  -----------
  lib/csv: Fix some memleak corner-cases (reported by OSS-Fuzz)

Fixes OSS-Fuzz#39925

(cherry picked from commit ff34d213cad9c2b24460aecc206520bac5411bdc)

  Commit: 55e18ff66d795e0b9614f5484fc91239e50a5386
      https://github.com/OpenSIPS/opensips/commit/55e18ff66d795e0b9614f5484fc91239e50a5386
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_uri.c

  Log Message:
  -----------
  parse_uri: Complete the fix for undefined bitwise left-shift (OSS-Fuzz)

The default auto-cast to (int) is not enough, as a value such as
255 << 24 can still overflow the 31 value bits...

Fixes OSS-Fuzz#51542

(cherry picked from commit e0d90ec107484051e6c769056036447361c5724d)

  Commit: e4e38bcc6dffa42e674a13ae7eca042efdf5abd9
      https://github.com/OpenSIPS/opensips/commit/e4e38bcc6dffa42e674a13ae7eca042efdf5abd9
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_uri.c

  Log Message:
  -----------
  parse_uri: Parse the port into an unsigned integer (OSS-Fuzz)

Fixes OSS-Fuzz#51605

(cherry picked from commit b4a72a5f96f5726afa48854ad0850fe14f78909d)

  Commit: 4e1363b60e1790f2080220903a2df42db3b16443
      https://github.com/OpenSIPS/opensips/commit/4e1363b60e1790f2080220903a2df42db3b16443
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_hname2.c
    M parser/test/test_parser.c

  Log Message:
  -----------
  parse_msg(): Fix out-of-bounds read edge-case (OSS-Fuzz)

Also add a unit test suite for parse_msg().

Severity: low
Fixes OSS-Fuzz#39802

(cherry picked from commit 66898d8208d158d95a27f1a76078a29bd1e08d7e)

  Commit: 97e2885420aa788be259e977b3a3fb86c3eab46e
      https://github.com/OpenSIPS/opensips/commit/97e2885420aa788be259e977b3a3fb86c3eab46e
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_hname2.c

  Log Message:
  -----------
  Fix rare UB on left-shift signed int overflow

By default, most commonly used compilers *define* some behaviour when
this overflow occurs, such that the program will continue normally,
without any negative consequences.

Severity: Minor
Fixes OSS-Fuzz#40201

(cherry picked from commit 2ba963b0c5e2b6705a3f28ce44e57b248988a103)

  Commit: 91e0ca626fe4ccfd143392d39bcb52ea13183f18
      https://github.com/OpenSIPS/opensips/commit/91e0ca626fe4ccfd143392d39bcb52ea13183f18
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_to.c
    M parser/test/test_parser.c

  Log Message:
  -----------
  parse_to_param(): Fix out-of-bounds read edge-case (OSS-Fuzz)

Severity: Low
Fixes OSS-Fuzz#41073

(cherry picked from commit 90aa25e64f36b22fbcae9aae910257b43f81641f)

  Commit: e3218949b324779d1f56ff0035af3b4d7ff84433
      https://github.com/OpenSIPS/opensips/commit/e3218949b324779d1f56ff0035af3b4d7ff84433
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_to.c

  Log Message:
  -----------
  parse_to_param(): Rework previous fix (OSS-Fuzz)

Invoking strlen() on a non NULL-terminated buffer is equally bad,
possibly even worse.  Instead, simply rely on the @end parameter being
correct, which is an assumption already made by the current code of the
function.

Fixes OSS-Fuzz#41073

(cherry picked from commit 51b908f8fde0aa2eac8dbcfff319281625d6f3f2)

  Commit: b2f0480a196e1105e2e95ed87ab9a32f42655560
      https://github.com/OpenSIPS/opensips/commit/b2f0480a196e1105e2e95ed87ab9a32f42655560
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/parse_content.c

  Log Message:
  -----------
  parse_content_length(): Fix integer overflow edge-case (OSS-Fuzz)

This completes commit 7cab422e2f, where it was still possible to cause
an integer overflow even after the fix, with input such as 2147483609,
due to missing parentheses in the number equation.

Fixes OSS-Fuzz#52112

(cherry picked from commit 837263b47dcb33909b109b5cc050c1ab4a6c64a2)

  Commit: c4a35a99f67664ab8578f081bdd608aee3f4fc3b
      https://github.com/OpenSIPS/opensips/commit/c4a35a99f67664ab8578f081bdd608aee3f4fc3b
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M parser/msg_parser.c
    M parser/test/test_parser.c

  Log Message:
  -----------
  parse_msg(): Fix heap buffer overflow edge-case (OSS-Fuzz)

This patch fixes a SIP message parsing error log which could lead to an
unsafe printing of a non-NULL terminated string.  Fortunately, the
OpenSIPS PKG memory allocator minimizes the severity of this overflow,
thanks to its pre-allocated, large chunk of heap memory.

Severity: Low
Fixes OSS-Fuzz#52204

(cherry picked from commit 2a6f8c67aa15ebf507cc9ff2bd881d771858fed7)

Compare: https://github.com/OpenSIPS/opensips/compare/f9c007121f01...c4a35a99f676