Module: kamailio Branch: 5.8 Commit: 060b6c2530c82f71eff0a205baaa248f9be11388 URL: https://github.com/kamailio/kamailio/commit/060b6c2530c82f71eff0a205baaa248f9be11388
Author: Daniel-Constantin Mierla <[email protected]> Committer: Daniel-Constantin Mierla <[email protected]> Date: 2026-03-05T18:02:15+01:00 core: tcp read - check coontent lenght for max int limit (cherry picked from commit 2c47fe1625b57e04252230e0e783ba4182afbebb) (cherry picked from commit 4076b32435b32205460e4d5fbcbef3ed8500e8c7) (cherry picked from commit 0d7a4b072cd649b7109451e15f2611461f35cdb5) --- Modified: src/core/tcp_read.c --- Diff: https://github.com/kamailio/kamailio/commit/060b6c2530c82f71eff0a205baaa248f9be11388.diff Patch: https://github.com/kamailio/kamailio/commit/060b6c2530c82f71eff0a205baaa248f9be11388.patch --- diff --git a/src/core/tcp_read.c b/src/core/tcp_read.c index 014b391fa70..e5ddc89886d 100644 --- a/src/core/tcp_read.c +++ b/src/core/tcp_read.c @@ -853,7 +853,16 @@ int tcp_read_headers(struct tcp_connection *c, rd_conn_flags_t *read_flags) case '7': case '8': case '9': - r->content_len = r->content_len * 10 + (*p - '0'); + if(r->content_len >= INT_MAX / 10) { + LM_ERR("large Content-Length header value %d in" + " state %d\n", + r->content_len, r->state); + r->content_len = 0; + r->error = TCP_REQ_BAD_LEN; + r->state = H_SKIP; /* skip now */ + } else { + r->content_len = r->content_len * 10 + (*p - '0'); + } break; case '\r': case ' ': _______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
