kamailio-3.x: add fix for CVE-2016-2385

Fixes heap-based buffer overflow in the encode_msg function.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>

diff --git a/net/kamailio-3.x/Makefile b/net/kamailio-3.x/Makefile
index 102099293c2f81bc12b0f54d92528c466c014088..3290dce943072fa156a450bddf1dfb723e467d3a 100644 (file)
--- a/net/kamailio-3.x/Makefile
+++ b/net/kamailio-3.x/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=kamailio3
 PKG_VERSION:=3.3.7
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 
 PKG_SOURCE_URL:=http://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/
 PKG_SOURCE:=kamailio-$(PKG_VERSION)$(PKG_VARIANT)_src.tar.gz

diff --git a/net/kamailio-3.x/patches/150-CVE-2016-2385.patch b/net/kamailio-3.x/patches/150-CVE-2016-2385.patch
new file mode 100644 (file)
index 0000000..eb7fbe3
--- /dev/null
+++ b/net/kamailio-3.x/patches/150-CVE-2016-2385.patch
@@ -0,0 +1,22 @@
+--- a/modules_k/seas/encode_msg.c
++++ b/modules_k/seas/encode_msg.c
+@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char
+ 
+    if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
+       return -1;
++
+    if(parse_headers(msg,HDR_EOH_F,0)<0){
+       myerror="in parse_headers";
+       goto error;
+@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char
+    /*j+=k;*/
+    /*pkg_free(payload2);*/
+    /*now we copy the actual message after the headers-meta-section*/
++
++   if(len < j + msg->len + 1) {
++      LM_ERR("not enough space to encode sip message\n");
++      return -1;
++   }
+    memcpy(&payload[j],msg->buf,msg->len);
+    LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
+    j=htons(j);