Hi team, thanks for your great work! I think I found a small vulnerability that might lead to Null Pointer Dereference in the system
At line 672-685 in file sip_parser.c
Description: I'll use the Git-master version as an example. In line 672, member sip->sip_separator is allocated with sip_separator_create
if (!sip->sip_separator)
sip->sip_separator = sip_separator_create(msg_home(msg));Although sip_separator_create and sip_header_alloc contain some internal checks, the caller does not verify whether the allocation actually succeeded. If the allocation fails, it will lead to sip->sip_separator = NULL.
When we try to visit it at line 685 with :
head = sip->sip_separator->sep_common;
It is likely to cause a Null Pointer Dereference bug.
Similar bugs have been previously reported like CVE-2022-3109.
Fix
I think maybe a simple check before line 685 should be sufficient, for example
if (!sip->sip_separator)
return NULL; /* or appropriate error handling */
Hi team, thanks for your great work! I think I found a small vulnerability that might lead to Null Pointer Dereference in the system
At line
672-685in file sip_parser.cDescription: I'll use the Git-master version as an example. In line
672, membersip->sip_separatoris allocated withsip_separator_createif (!sip->sip_separator) sip->sip_separator = sip_separator_create(msg_home(msg));Although
sip_separator_createandsip_header_alloccontain some internal checks, the caller does not verify whether the allocation actually succeeded. If the allocation fails, it will lead tosip->sip_separator = NULL.When we try to visit it at line
685with :It is likely to cause a Null Pointer Dereference bug.
Similar bugs have been previously reported like CVE-2022-3109.
Fix
I think maybe a simple check before line
685should be sufficient, for example