Headline
CVE-2022-47517: fix off-by-one access triggered eg by Contact: % · davehorton/sofia-sip@22c1bd1
An issue was discovered in the libsofia-sip fork in drachtio-server before 0.8.19. It allows remote attackers to cause a denial of service (daemon crash) via a crafted UDP message that causes a url_canonize2 heap-based buffer over-read because of an off-by-one error.
@@ -185,7 +185,7 @@ int url_reserved_p(char const *s)
* The number of characters in corresponding but escaped string.
*
* You can handle a part of URL with reserved characters like this:
* @code
*�@code
* if (url_reserved_p(s)) {
* n = malloc(url_esclen(s, NULL) + 1);
* if (n) url_escape(n, s);
@@ -364,6 +364,7 @@ char *url_canonize2(char *d, char const * const s, size_t n,
continue;
}
if (i >= strlen(s) - 1) return NULL;
h1 = s[i + 1], h2 = s[i + 2];
if (!IS_HEX(h1) || !IS_HEX(h2)) {
@@ -1088,7 +1089,7 @@ char *copy(char *buf, char *end, char const *src)
* @param buf Buffer for non-constant strings copied from @a src.
* @param bufsize Size of @a buf.
* @param dst Destination URL structure.
* @param src Source URL structure.
*�@param src Source URL structure.
*
* @return Number of characters required for
* duplicating the strings in @a str, or -1 if an error
@@ -1172,7 +1173,7 @@ issize_t url_dup(char *buf, isize_t bufsize, url_t *dst, url_t const *src)
* @param buf Buffer for non-constant strings copied from @a src.
* @param end End of @a buf.
* @param dst Destination URL structure.
* @param src Source URL structure.
*�@param src Source URL structure.
*
* @return
* The macro URL_DUP() returns pointer to first unused byte in the