Blob Blame Raw
From: Bogdan-Andrei Iancu <bogdan@opensips.org>
Date: Tue, 30 Jan 2018 14:07:42 +0200
Subject: [PATCH] Fix reverse_hex2int() prototype

As the computed value is an unsigned (as data size), it cannot be returned as int as it will overflow and get converted to a negative value. This will colide with the negative error ret code -1
Reported by Daniel Zanutti.

(cherry picked from commit 095dc57300b9665b090e999a540db8b391f8d22e)

diff --git a/forward.c b/forward.c
index f0af2c079..835e8b4eb 100644
--- a/forward.c
+++ b/forward.c
@@ -468,7 +468,7 @@ int forward_reply(struct sip_msg* msg)
 	unsigned int new_len;
 	struct sr_module *mod;
 	int proto;
-	int id; /* used only by tcp*/
+	unsigned int id; /* used only by tcp*/
 	struct socket_info *send_sock;
 	char* s;
 	int len;
@@ -523,7 +523,7 @@ int forward_reply(struct sip_msg* msg)
 		if (msg->via1->i&&msg->via1->i->value.s){
 			s=msg->via1->i->value.s;
 			len=msg->via1->i->value.len;
-			id=reverse_hex2int(s, len);
+			reverse_hex2int(s, len, &id);
 		}
 	}
 
@@ -535,7 +535,7 @@ int forward_reply(struct sip_msg* msg)
 		goto error;
 	}
 
-	if (msg_send(send_sock, proto, to, id, new_buf, new_len, msg)<0) {
+	if (msg_send(send_sock, proto, to, (int)id, new_buf, new_len, msg)<0) {
 		update_stat( drp_rpls, 1);
 		goto error0;
 	}
diff --git a/modules/dialog/dlg_handlers.c b/modules/dialog/dlg_handlers.c
index dccafe63f..745f2a95e 100644
--- a/modules/dialog/dlg_handlers.c
+++ b/modules/dialog/dlg_handlers.c
@@ -1386,8 +1386,8 @@ void dlg_onroute(struct sip_msg* req, str *route_params, void *param)
 	str callid;
 	str ftag;
 	str ttag;
-	int h_entry;
-	int h_id;
+	unsigned int h_entry;
+	unsigned int h_id;
 	int new_state;
 	int old_state;
 	int unref;
diff --git a/modules/dialog/dlg_handlers.h b/modules/dialog/dlg_handlers.h
index 2b0471468..9f7f634c3 100644
--- a/modules/dialog/dlg_handlers.h
+++ b/modules/dialog/dlg_handlers.h
@@ -107,7 +107,7 @@ typedef int (*terminate_dlg_f)(unsigned int h_entry, unsigned int h_id,str *reas
 void unreference_dialog(void *dialog);
 
 static inline int parse_dlg_rr_param(char *p, char *end,
-													int *h_entry, int *h_id)
+								unsigned int *h_entry, unsigned int *h_id)
 {
 	char *s;
 
@@ -117,12 +117,12 @@ static inline int parse_dlg_rr_param(char *p, char *end,
 		return -1;
 	}
 
-	if ( (*h_entry=reverse_hex2int( s, p-s))<0 ) {
+	if ( reverse_hex2int( s, p-s, h_entry)<0 ) {
 		LM_ERR("invalid hash entry '%.*s'\n", (int)(long)(p-s), s);
 		return -1;
 	}
 
-	if ( (*h_id=reverse_hex2int( p+1, end-(p+1)))<0 ) {
+	if ( reverse_hex2int( p+1, end-(p+1), h_id)<0 ) {
 		LM_ERR("invalid hash id '%.*s'\n", (int)(long)(end-(p+1)), p+1 );
 		return -1;
 	}
diff --git a/modules/nathelper/sip_pinger.h b/modules/nathelper/sip_pinger.h
index bd74358ba..ceee556fd 100644
--- a/modules/nathelper/sip_pinger.h
+++ b/modules/nathelper/sip_pinger.h
@@ -94,7 +94,8 @@ static void init_sip_ping(int rto)
 
 static int parse_branch(str branch)
 {
-	int hash_id, cid_len;
+	unsigned int hash_id;
+	int cid_len;
 	char *end;
 
 	int64_t ret;
@@ -115,13 +116,13 @@ static int parse_branch(str branch)
 	if (0 == end) {
 		/* if reverse hex2int succeeds on this it's a simple
 		 * ping based on sipping_callid_cnt label */
-		if (reverse_hex2int(branch.s, end-branch.s) > 0)
+		if (reverse_hex2int(branch.s, end-branch.s, &hash_id)==0)
 			return 0;
 
 		return 1;
 	}
 
-	hash_id = reverse_hex2int(branch.s, end-branch.s);
+	reverse_hex2int(branch.s, end-branch.s, &hash_id);
 
 	branch.len -= (end-branch.s + 1);
 	branch.s = end+1;
diff --git a/modules/tm/t_lookup.c b/modules/tm/t_lookup.c
index 13ad3f07c..5ea8a76cd 100644
--- a/modules/tm/t_lookup.c
+++ b/modules/tm/t_lookup.c
@@ -683,9 +683,9 @@ found:
 int t_reply_matching( struct sip_msg *p_msg , int *p_branch )
 {
 	struct cell*  p_cell;
-	int hash_index   = 0;
-	int entry_label  = 0;
-	int branch_id    = 0;
+	unsigned int hash_index   = 0;
+	unsigned int entry_label  = 0;
+	unsigned int branch_id    = 0;
 	char  *hashi, *branchi, *p, *n;
 	int hashl, branchl;
 	int scan_space;
@@ -754,19 +754,19 @@ int t_reply_matching( struct sip_msg *p_msg , int *p_branch )
 	branchi=p;
 
 	/* sanity check */
-	if ((hash_index=reverse_hex2int(hashi, hashl))<0
+	if (reverse_hex2int(hashi, hashl, &hash_index)<0
 		||hash_index>=TM_TABLE_ENTRIES
-		|| (branch_id=reverse_hex2int(branchi, branchl))<0
+		|| reverse_hex2int(branchi, branchl, &branch_id)<0
 		||branch_id>=MAX_BRANCHES
-		|| (syn_branch ? (entry_label=reverse_hex2int(syni, synl))<0
+		|| (syn_branch ? reverse_hex2int(syni, synl, &entry_label)<0
 			: loopl!=MD5_LEN )
 	) {
-		LM_DBG("poor reply labels %d label %d branch %d\n",
+		LM_DBG("poor reply labels %u label %u branch %u\n",
 				hash_index, entry_label, branch_id );
 		goto nomatch2;
 	}
 
-	LM_DBG("hash %d label %d branch %d\n",hash_index, entry_label, branch_id);
+	LM_DBG("hash %u label %d branch %u\n",hash_index, entry_label, branch_id);
 
 	cseq = get_cseq(p_msg);
 
diff --git a/ut.h b/ut.h
index c9c109669..83d12b0ed 100644
--- a/ut.h
+++ b/ut.h
@@ -238,22 +238,21 @@ static inline char* q_memrchr(char* p, int c, unsigned int size)
 }
 
 
-inline static int reverse_hex2int( char *c, int len )
+inline static int reverse_hex2int( char *c, int len, unsigned int *r)
 {
 	char *pc;
-	int r;
 	char mychar;
 
-	r=0;
+	*r=0;
 	for (pc=c+len-1; len>0; pc--, len--) {
-		r <<= 4 ;
+		(*r) <<= 4 ;
 		mychar=*pc;
-		if ( mychar >='0' && mychar <='9') r+=mychar -'0';
-		else if (mychar >='a' && mychar <='f') r+=mychar -'a'+10;
-		else if (mychar  >='A' && mychar <='F') r+=mychar -'A'+10;
+		if ( mychar >='0' && mychar <='9') (*r)+=mychar -'0';
+		else if (mychar >='a' && mychar <='f') (*r)+=mychar -'a'+10;
+		else if (mychar  >='A' && mychar <='F') (*r)+=mychar -'A'+10;
 		else return -1;
 	}
-	return r;
+	return 0;
 }
 
 inline static int int2reverse_hex( char **c, int *size, unsigned int nr )