From f3e95a4d4278fda5a0648943020bdf0026219f7c Mon Sep 17 00:00:00 2001 From: Anders Svensson Date: Tue, 24 Mar 2015 13:20:36 +0100 Subject: Limit DiameterURI ports to 0-65535 digits on decode A port number is a 16-bit integer, but the regexp used to parse it in commit 1590920 slavishly followed the RFC 6733 grammar in matching an arbitrary number of digits. Make decode fail if it's anything more than 5, to avoid doing erlang:list_to_integer/1 on arbitrarily large lists. Also make it fail if the resulting integer is outside of the expected range. --- lib/diameter/src/base/diameter_types.erl | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'lib/diameter/src') diff --git a/lib/diameter/src/base/diameter_types.erl b/lib/diameter/src/base/diameter_types.erl index fe7613541c..96407efc09 100644 --- a/lib/diameter/src/base/diameter_types.erl +++ b/lib/diameter/src/base/diameter_types.erl @@ -566,17 +566,25 @@ msb(false) -> ?TIME_2036. scan_uri(Bin) -> RE = "^(aaas?)://" "([-a-zA-Z0-9.]+)" - "(:([0-9]+))?" + "(:0{0,5}([0-9]{1,5}))?" "(;transport=(tcp|sctp|udp))?" "(;protocol=(diameter|radius|tacacs\\+))?$", + %% A port number is 16-bit, so an arbitrary number of digits is + %% just a vulnerability, but provide a little slack with leading + %% zeros in a port number just because the regexp was previously + %% [0-9]+ and it's not inconceivable that a value might be padded. + %% Don't fantasize about this padding being more than the number + %% of digits in the port number proper. {match, [A, DN, PN, T, P]} = re:run(Bin, RE, [{capture, [1,2,4,6,8], binary}]), Type = to_atom(A), {PN0, T0} = defaults(diameter_codec:getopt(rfc), Type), + PortNr = to_int(PN, PN0), + 0 = PortNr bsr 16, %% assert #diameter_uri{type = Type, fqdn = from_bin(DN), - port = to_int(PN, PN0), + port = PortNr, transport = to_atom(T, T0), protocol = to_atom(P, diameter)}. -- cgit v1.2.3