This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
pespin gerrit-no-reply at lists.osmocom.orgpespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-mgw/+/14905
Change subject: Catch unsigned integer MGCP parsing errors with strtoul
......................................................................
Catch unsigned integer MGCP parsing errors with strtoul
Checks to find if strotul failed are taken both from:
man strtoul
man strtol
Change-Id: Ifba1c1e3151d6f92f9da3d4ca2569a5908455ca8
---
M src/libosmo-mgcp-client/mgcp_client.c
M src/libosmo-mgcp/mgcp_sdp.c
2 files changed, 16 insertions(+), 2 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/05/14905/1
diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c
index fd188c3..910289e 100644
--- a/src/libosmo-mgcp-client/mgcp_client.c
+++ b/src/libosmo-mgcp-client/mgcp_client.c
@@ -36,6 +36,8 @@
#include <unistd.h>
#include <string.h>
#include <ctype.h>
+#include <stdlib.h>
+#include <limits.h>
#ifndef OSMUX_CID_MAX
#define OSMUX_CID_MAX 255 /* FIXME: use OSMUX_CID_MAX from libosmo-netif? */
@@ -265,6 +267,7 @@
static int mgcp_parse_audio_port_pt(struct mgcp_response *r, char *line)
{
char *pt_str;
+ char *pt_end;
unsigned int pt;
unsigned int count = 0;
unsigned int i;
@@ -289,7 +292,11 @@
pt_str = strtok(NULL, " ");
if (!pt_str)
break;
- pt = atoi(pt_str);
+ errno = 0;
+ pt = strtoul(pt_str, &pt_end, 0);
+ if ((errno == ERANGE && pt == ULONG_MAX) || (errno && !pt) ||
+ pt_str == pt_end)
+ goto response_parse_failure_pt;
/* Do not allow duplicate payload types */
for (i = 0; i < count; i++)
diff --git a/src/libosmo-mgcp/mgcp_sdp.c b/src/libosmo-mgcp/mgcp_sdp.c
index 99e764b..70072c2 100644
--- a/src/libosmo-mgcp/mgcp_sdp.c
+++ b/src/libosmo-mgcp/mgcp_sdp.c
@@ -29,6 +29,8 @@
#include <osmocom/mgcp/mgcp_sdp.h>
#include <errno.h>
+#include <stdlib.h>
+#include <limits.h>
/* Two structs to store intermediate parsing results. The function
* mgcp_parse_sdp_data() is using the following two structs as temporary
@@ -129,6 +131,7 @@
char *str;
char *str_ptr;
char *pt_str;
+ char *pt_end;
unsigned int pt;
unsigned int count = 0;
unsigned int i;
@@ -154,7 +157,11 @@
if (!pt_str)
break;
- pt = atoi(pt_str);
+ errno = 0;
+ pt = strtoul(pt_str, &pt_end, 0);
+ if ((errno == ERANGE && pt == ULONG_MAX) || (errno && !pt) ||
+ pt_str == pt_end)
+ goto error;
/* Do not allow duplicate payload types */
for (i = 0; i < count; i++)
--
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/14905
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: Ifba1c1e3151d6f92f9da3d4ca2569a5908455ca8
Gerrit-Change-Number: 14905
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190723/35372a59/attachment.htm>