Fix out-of-bounds read in SIP parameter escape handling

marcel · marcel · commit 6827f1526944 · 2026-02-10T12:05:00.000+01:00
The escape handler in VP_PVALUE_QUOTED checked for NUL terminator
after advancing the cursor, but the parser is bounded by an end
pointer, not NUL. A backslash at the last position would dereference
past the buffer. Check bounds against end pointer before incrementing.
diff --git a/core/sip/parse_common.cpp b/core/sip/parse_common.cpp
@@ -256,10 +256,11 @@ static int _parse_gen_params(list<sip_avp*>* params, const char** c,
 		break;
 		
 	    case '\\':
-		if(!*(++(*c))){
+		if(*c + 1 >= end){
 		    DBG("Escape char in quoted str at EoT!!!\n");
 		    return MALFORMED_SIP_MSG;
 		}
+		++(*c);
 		break;
 	    }
 	    break;

Original file line number	Diff line number	Diff line change
`@@ -256,10 +256,11 @@ static int _parse_gen_params(list<sip_avp> params, const char** c,`
`256`	`256`	`break;`
`257`	`257`
`258`	`258`	`case '\\':`
`259`		`- if(!(++(c))){`
	`259`	`+ if(*c + 1 >= end){`
`260`	`260`	`DBG("Escape char in quoted str at EoT!!!\n");`
`261`	`261`	`return MALFORMED_SIP_MSG;`
`262`	`262`	`}`
	`263`	`+ ++(*c);`
`263`	`264`	`break;`
`264`	`265`	`}`
`265`	`266`	`break;`