1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2007-4924.dpatch by Nico Golde <nion@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad opal-2.2.3.dfsg~/src/sip/sippdu.cxx opal-2.2.3.dfsg/src/sip/sippdu.cxx
--- opal-2.2.3.dfsg~/src/sip/sippdu.cxx 2006-08-07 22:07:46.000000000 +0200
+++ opal-2.2.3.dfsg/src/sip/sippdu.cxx 2007-12-02 23:12:31.000000000 +0100
@@ -656,7 +656,7 @@
else
addr += hostname;
- if (port != 0)
+ if (port > 0)
addr.sprintf(":%u", port);
return addr;
@@ -1815,8 +1815,18 @@
// if no content length is specified (which is not the same as zero length)
// then read until plausible end of header marker
PINDEX contentLength = mime.GetContentLength();
- if (contentLength > 0)
+ // assume entity bodies can't be longer than a UDP packet
+ if (contentLength > 1500) {
+ PTRACE(2, "SIP\tImplausibly long Content-Length " << contentLength << " received on " << transport);
+ return FALSE;
+ }
+ else if (contentLength < 0) {
+ PTRACE(2, "SIP\tImpossible negative Content-Length on " << transport);
+ return FALSE;
+ }
+ if (contentLength > 0){
transport.read(entityBody.GetPointer(contentLength+1), contentLength);
+ }
else if (!mime.IsContentLengthPresent()) {
PBYTEArray pp;
|
