From: Bogdan-Andrei Iancu <bogdan@opensips.org>
Date: Tue, 30 Jan 2018 14:07:42 +0200
Subject: [PATCH] Fix reverse_hex2int() prototype
As the computed value is an unsigned (as data size), it cannot be returned as int as it will overflow and get converted to a negative value. This will colide with the negative error ret code -1
Reported by Daniel Zanutti.
(cherry picked from commit 095dc57300b9665b090e999a540db8b391f8d22e)
diff --git a/forward.c b/forward.c
index f0af2c079..835e8b4eb 100644
--- a/forward.c
+++ b/forward.c
@@ -468,7 +468,7 @@ int forward_reply(struct sip_msg* msg)
unsigned int new_len;
struct sr_module *mod;
int proto;
- int id; /* used only by tcp*/
+ unsigned int id; /* used only by tcp*/
struct socket_info *send_sock;
char* s;
int len;
@@ -523,7 +523,7 @@ int forward_reply(struct sip_msg* msg)
if (msg->via1->i&&msg->via1->i->value.s){
s=msg->via1->i->value.s;
len=msg->via1->i->value.len;
- id=reverse_hex2int(s, len);
+ reverse_hex2int(s, len, &id);
}
}
@@ -535,7 +535,7 @@ int forward_reply(struct sip_msg* msg)
goto error;
}
- if (msg_send(send_sock, proto, to, id, new_buf, new_len, msg)<0) {
+ if (msg_send(send_sock, proto, to, (int)id, new_buf, new_len, msg)<0) {
update_stat( drp_rpls, 1);
goto error0;
}
diff --git a/modules/dialog/dlg_handlers.c b/modules/dialog/dlg_handlers.c
index 57b023b14..324fb65cb 100644
--- a/modules/dialog/dlg_handlers.c
+++ b/modules/dialog/dlg_handlers.c
@@ -1386,8 +1386,8 @@ void dlg_onroute(struct sip_msg* req, str *route_params, void *param)
str callid;
str ftag;
str ttag;
- int h_entry;
- int h_id;
+ unsigned int h_entry;
+ unsigned int h_id;
int new_state;
int old_state;
int unref;
diff --git a/modules/dialog/dlg_handlers.h b/modules/dialog/dlg_handlers.h
index 2b0471468..9f7f634c3 100644
--- a/modules/dialog/dlg_handlers.h
+++ b/modules/dialog/dlg_handlers.h
@@ -107,7 +107,7 @@ typedef int (*terminate_dlg_f)(unsigned int h_entry, unsigned int h_id,str *reas
void unreference_dialog(void *dialog);
static inline int parse_dlg_rr_param(char *p, char *end,
- int *h_entry, int *h_id)
+ unsigned int *h_entry, unsigned int *h_id)
{
char *s;
@@ -117,12 +117,12 @@ static inline int parse_dlg_rr_param(char *p, char *end,
return -1;
}
- if ( (*h_entry=reverse_hex2int( s, p-s))<0 ) {
+ if ( reverse_hex2int( s, p-s, h_entry)<0 ) {
LM_ERR("invalid hash entry '%.*s'\n", (int)(long)(p-s), s);
return -1;
}
- if ( (*h_id=reverse_hex2int( p+1, end-(p+1)))<0 ) {
+ if ( reverse_hex2int( p+1, end-(p+1), h_id)<0 ) {
LM_ERR("invalid hash id '%.*s'\n", (int)(long)(end-(p+1)), p+1 );
return -1;
}
diff --git a/modules/nathelper/sip_pinger.h b/modules/nathelper/sip_pinger.h
index bd74358ba..ceee556fd 100644
--- a/modules/nathelper/sip_pinger.h
+++ b/modules/nathelper/sip_pinger.h
@@ -94,7 +94,8 @@ static void init_sip_ping(int rto)
static int parse_branch(str branch)
{
- int hash_id, cid_len;
+ unsigned int hash_id;
+ int cid_len;
char *end;
int64_t ret;
@@ -115,13 +116,13 @@ static int parse_branch(str branch)
if (0 == end) {
/* if reverse hex2int succeeds on this it's a simple
* ping based on sipping_callid_cnt label */
- if (reverse_hex2int(branch.s, end-branch.s) > 0)
+ if (reverse_hex2int(branch.s, end-branch.s, &hash_id)==0)
return 0;
return 1;
}
- hash_id = reverse_hex2int(branch.s, end-branch.s);
+ reverse_hex2int(branch.s, end-branch.s, &hash_id);
branch.len -= (end-branch.s + 1);
branch.s = end+1;
diff --git a/modules/tm/t_lookup.c b/modules/tm/t_lookup.c
index 847611dc8..4e42e0d68 100644
--- a/modules/tm/t_lookup.c
+++ b/modules/tm/t_lookup.c
@@ -694,9 +694,9 @@ found:
int t_reply_matching( struct sip_msg *p_msg , int *p_branch )
{
struct cell* p_cell;
- int hash_index = 0;
- int entry_label = 0;
- int branch_id = 0;
+ unsigned int hash_index = 0;
+ unsigned int entry_label = 0;
+ unsigned int branch_id = 0;
char *hashi, *branchi, *p, *n;
int hashl, branchl;
int scan_space;
@@ -765,19 +765,19 @@ int t_reply_matching( struct sip_msg *p_msg , int *p_branch )
branchi=p;
/* sanity check */
- if ((hash_index=reverse_hex2int(hashi, hashl))<0
+ if (reverse_hex2int(hashi, hashl, &hash_index)<0
||hash_index>=TM_TABLE_ENTRIES
- || (branch_id=reverse_hex2int(branchi, branchl))<0
+ || reverse_hex2int(branchi, branchl, &branch_id)<0
||branch_id>=MAX_BRANCHES
- || (syn_branch ? (entry_label=reverse_hex2int(syni, synl))<0
+ || (syn_branch ? reverse_hex2int(syni, synl, &entry_label)<0
: loopl!=MD5_LEN )
) {
- LM_DBG("poor reply labels %d label %d branch %d\n",
+ LM_DBG("poor reply labels %u label %u branch %u\n",
hash_index, entry_label, branch_id );
goto nomatch2;
}
- LM_DBG("hash %d label %d branch %d\n",hash_index, entry_label, branch_id);
+ LM_DBG("hash %u label %d branch %u\n",hash_index, entry_label, branch_id);
cseq = get_cseq(p_msg);
diff --git a/ut.h b/ut.h
index 3476a5832..744fd07e7 100644
--- a/ut.h
+++ b/ut.h
@@ -238,22 +238,21 @@ static inline char* q_memrchr(char* p, int c, unsigned int size)
}
-inline static int reverse_hex2int( char *c, int len )
+inline static int reverse_hex2int( char *c, int len, unsigned int *r)
{
char *pc;
- int r;
char mychar;
- r=0;
+ *r=0;
for (pc=c+len-1; len>0; pc--, len--) {
- r <<= 4 ;
+ (*r) <<= 4 ;
mychar=*pc;
- if ( mychar >='0' && mychar <='9') r+=mychar -'0';
- else if (mychar >='a' && mychar <='f') r+=mychar -'a'+10;
- else if (mychar >='A' && mychar <='F') r+=mychar -'A'+10;
+ if ( mychar >='0' && mychar <='9') (*r)+=mychar -'0';
+ else if (mychar >='a' && mychar <='f') (*r)+=mychar -'a'+10;
+ else if (mychar >='A' && mychar <='F') (*r)+=mychar -'A'+10;
else return -1;
}
- return r;
+ return 0;
}
inline static int int2reverse_hex( char **c, int *size, unsigned int nr )