From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Fri, 30 Nov 2018 19:36:59 +0000 (-0500)
Subject: Merge pull request #1444 in SNORT/snort3 from ~PSHINDE2/snort3:sip_buffer_overflow... 
X-Git-Tag: 3.0.0-250~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ef0bc1e015aa306b3c028b1d722ecd5595cf914;p=thirdparty%2Fsnort3.git

Merge pull request #1444 in SNORT/snort3 from ~PSHINDE2/snort3:sip_buffer_overflow to master

Squashed commit of the following:

commit 8ff1664addda5eb674ed2cf6db492d3f19feea56
Author: Pratik Shinde <pshinde2@cisco.com>
Date:   Tue Nov 27 16:48:39 2018 -0500

    sip: Added sanity check for buffer boundary while parsing a sip message
---

diff --git a/src/service_inspectors/sip/sip_parser.cc b/src/service_inspectors/sip/sip_parser.cc
index e78b93aef..1557f2811 100644
--- a/src/service_inspectors/sip/sip_parser.cc
+++ b/src/service_inspectors/sip/sip_parser.cc
@@ -1184,14 +1184,17 @@ bool sip_parse(SIPMsg* msg, const char* buff, const char* end, SIP_PROTO_CONF* c
     start = nextIndex;
     uint16_t bodyLen = end - start;
 
-    /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/
     if ((!msg->isTcp)&&(msg->content_len > bodyLen))
         DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN);
 
-    bool status = sip_body_parse(msg, start, start + msg->content_len, &nextIndex);
+    bool status;
+
+    if(msg->content_len <= bodyLen)
+        status = sip_body_parse(msg, start, start + msg->content_len, &nextIndex);
+    else
+        status = sip_body_parse(msg, start, end, &nextIndex);
 
     // Find out whether multiple SIP messages in this packet
-    /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/
     if ((!msg->isTcp) && (msg->content_len < bodyLen))
     {
         if ( sip_startline_parse(msg, start + msg->content_len, end, &nextIndex, config) )