< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index

Re: [reSIProcate] Unsafe use of Content-Length in ConnectionBase

From: Byron Campen <bcampen@xxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 16:57:20 -0500

I have taken another look at this, and added some stuff to resip/stack/testTcp.cxx that triggers the bug. Bad Content-Length doesn'tcause us to core or assert, it appears, but we do leak lots ofmemory. (run this test under valgrind to see) I have some code thatfixes the leak in a working copy, here is the patch:


Index: ConnectionBase.cxx
===================================================================
--- ConnectionBase.cxx  (revision 6562)
+++ ConnectionBase.cxx  (working copy)
@@ -170,9 +170,28 @@
          }
          else
          {
-            // The message header is complete.

- size_t contentLength = mMessage->header(h_ContentLength).value();

+            size_t contentLength = 0;

+            try
+            {
+               // The message header is complete.
+               contentLength=mMessage->header(h_ContentLength).value();
+            }
+            catch(resip::ParseBuffer::Exception& e)
+            {

+ WarningLog(<<"Malformed Content-Length in connection-based transport"

+                           ". Not much we can do to fix this.");
+               // !bwc! Bad Content-Length. We are hosed.
+               delete mMessage;
+               mMessage = 0;
+               mBuffer = 0;

+ // !bwc! mMessage just took ownership of mBuffer, sowe don't

+               // delete it here.
+               //.jacob. Shouldn't the state also be set here?
+               delete this;
+               return;
+            }
+
             if (numUnprocessedChars < contentLength)
             {
                // The message body is incomplete.
@@ -234,7 +253,26 @@
       }
       case PartialBody:
       {

- size_t contentLength = mMessage->header(h_ContentLength).value();

+         size_t contentLength = 0;
+
+         try
+         {
+             contentLength = mMessage->header(h_ContentLength).value();
+         }
+         catch(resip::ParseBuffer::Exception& e)
+         {

+ WarningLog(<<"Malformed Content-Length in connection-based transport"

+                        ". Not much we can do to fix this.");
+            // !bwc! Bad Content-Length. We are hosed.
+            delete [] mBuffer;
+            mBuffer = 0;
+            delete mMessage;
+            mMessage = 0;
+            //.jacob. Shouldn't the state also be set here?
+            delete this;
+            return;
+         }
+
          mBufferPos += bytesRead;
          if (mBufferPos == contentLength)
          {

Comments?

Best regards,
Byron Campen

ConnectionBase uses header(h_ContentLength) without a try block intwo places. If Content-Length is malformed, we could end up withstrange behavior (I haven't dug very deep into precisely howstrange). Recommend we wrap these in try, and if something goeswrong, scrap the connection.
Best regards,
Byron Campen

_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxx
https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- [reSIProcate] Unsafe use of Content-Length in ConnectionBase
  - From: Byron Campen

Prev by Date: Re: [reSIProcate] bug in SipFrag.cxx
Next by Date: [reSIProcate] Control over sending ACK
Previous by thread: [reSIProcate] Unsafe use of Content-Length in ConnectionBase
Next by thread: [reSIProcate] To DUM or not to DUM that is the question
Index(es):
- Date
- Thread