From eb297d9682026cab49e3aed37f45d7efe5d5b65b Mon Sep 17 00:00:00 2001 From: Gustavo Almeida Date: Tue, 16 Sep 2025 18:35:33 +0100 Subject: [PATCH 1/3] feat: add some security checks on event_dup --- src/switch_event.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/switch_event.c b/src/switch_event.c index 8a8c8d6c357..77e16cea6f4 100644 --- a/src/switch_event.c +++ b/src/switch_event.c @@ -1344,14 +1344,23 @@ SWITCH_DECLARE(switch_status_t) switch_event_dup(switch_event_t **event, switch_ (*event)->bind_user_data = todup->bind_user_data; (*event)->flags = todup->flags; for (hp = todup->headers; hp; hp = hp->next) { - if (todup->subclass_name && !strcmp(hp->name, "Event-Subclass")) { + if (todup->subclass_name && hp->name && strcmp(hp->name, "Event-Subclass") == 0) { continue; } - if (hp->idx) { - int i; - for (i = 0; i < hp->idx; i++) { - switch_event_add_header_string(*event, SWITCH_STACK_PUSH, hp->name, hp->array[i]); + if (!hp->name || !*hp->name) { + continue; + } + + if (!hp->array && !hp->value) { + continue; + } + + if (hp->idx > 0 && hp->array) { + for (int i = 0; i < hp->idx; i++) { + if (hp->array[i]) { + switch_event_add_header_string(*event, SWITCH_STACK_PUSH, hp->name, hp->array[i]); + } } } else { switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, hp->name, hp->value); From 5c5f82b764a16436af48bbe632bc2fc9169e663c Mon Sep 17 00:00:00 2001 From: Gustavo Almeida Date: Wed, 17 Sep 2025 10:32:47 +0100 Subject: [PATCH 2/3] chore: improve security checks to use the already existing zstr function --- src/switch_event.c | 79 ++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 41 deletions(-) diff --git a/src/switch_event.c b/src/switch_event.c index 77e16cea6f4..e01194769cd 100644 --- a/src/switch_event.c +++ b/src/switch_event.c @@ -1333,47 +1333,44 @@ SWITCH_DECLARE(void) switch_event_merge(switch_event_t *event, switch_event_t *t SWITCH_DECLARE(switch_status_t) switch_event_dup(switch_event_t **event, switch_event_t *todup) { - switch_event_header_t *hp; - - if (switch_event_create_subclass(event, SWITCH_EVENT_CLONE, todup->subclass_name) != SWITCH_STATUS_SUCCESS) { - return SWITCH_STATUS_GENERR; - } - - (*event)->event_id = todup->event_id; - (*event)->event_user_data = todup->event_user_data; - (*event)->bind_user_data = todup->bind_user_data; - (*event)->flags = todup->flags; - for (hp = todup->headers; hp; hp = hp->next) { - if (todup->subclass_name && hp->name && strcmp(hp->name, "Event-Subclass") == 0) { - continue; - } - - if (!hp->name || !*hp->name) { - continue; - } - - if (!hp->array && !hp->value) { - continue; - } - - if (hp->idx > 0 && hp->array) { - for (int i = 0; i < hp->idx; i++) { - if (hp->array[i]) { - switch_event_add_header_string(*event, SWITCH_STACK_PUSH, hp->name, hp->array[i]); - } - } - } else { - switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, hp->name, hp->value); - } - } - - if (todup->body) { - (*event)->body = DUP(todup->body); - } - - (*event)->key = todup->key; - - return SWITCH_STATUS_SUCCESS; + switch_event_header_t *hp; + + if (switch_event_create_subclass(event, SWITCH_EVENT_CLONE, todup->subclass_name) != SWITCH_STATUS_SUCCESS) { + return SWITCH_STATUS_GENERR; + } + + (*event)->event_id = todup->event_id; + (*event)->event_user_data = todup->event_user_data; + (*event)->bind_user_data = todup->bind_user_data; + (*event)->flags = todup->flags; + + for (hp = todup->headers; hp; hp = hp->next) { + if (zstr(hp->name)) { + continue; + } + + if (todup->subclass_name && !strcasecmp(hp->name, "Event-Subclass")) { + continue; + } + + if (hp->idx > 0 && hp->array) { + for (int i = 0; i < hp->idx; i++) { + if (!zstr(hp->array[i])) { + switch_event_add_header_string(*event, SWITCH_STACK_PUSH, hp->name, hp->array[i]); + } + } + } else if (!zstr(hp->value)) { + switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, hp->name, hp->value); + } + } + + if (!zstr(todup->body)) { + (*event)->body = DUP(todup->body); + } + + (*event)->key = todup->key; + + return SWITCH_STATUS_SUCCESS; } From b6ee41013f5e3e2d0e30f51df44e593ea934e094 Mon Sep 17 00:00:00 2001 From: Gustavo Almeida Date: Wed, 17 Sep 2025 10:33:21 +0100 Subject: [PATCH 3/3] feat: improve also switch_event_dup_reply function with security checks --- src/switch_event.c | 99 ++++++++++++++++++++++++++-------------------- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/src/switch_event.c b/src/switch_event.c index e01194769cd..f8de62cc059 100644 --- a/src/switch_event.c +++ b/src/switch_event.c @@ -1376,59 +1376,72 @@ SWITCH_DECLARE(switch_status_t) switch_event_dup(switch_event_t **event, switch_ SWITCH_DECLARE(switch_status_t) switch_event_dup_reply(switch_event_t **event, switch_event_t *todup) { - switch_event_header_t *hp; - char hname[1024] = ""; - char *p; + switch_event_header_t *hp; + char hname[1024] = ""; + char *p; - if (switch_event_create_subclass(event, SWITCH_EVENT_CLONE, todup->subclass_name) != SWITCH_STATUS_SUCCESS) { - return SWITCH_STATUS_GENERR; - } + if (switch_event_create_subclass(event, SWITCH_EVENT_CLONE, todup->subclass_name) != SWITCH_STATUS_SUCCESS) { + return SWITCH_STATUS_GENERR; + } - (*event)->event_id = todup->event_id; - (*event)->event_user_data = todup->event_user_data; - (*event)->bind_user_data = todup->bind_user_data; - (*event)->flags = todup->flags; + (*event)->event_id = todup->event_id; + (*event)->event_user_data = todup->event_user_data; + (*event)->bind_user_data = todup->bind_user_data; + (*event)->flags = todup->flags; - for (hp = todup->headers; hp; hp = hp->next) { - char *name = hp->name, *value = hp->value; + for (hp = todup->headers; hp; hp = hp->next) { + char *name; + char *value; - if (todup->subclass_name && !strcmp(hp->name, "Event-Subclass")) { - continue; - } + if (zstr(hp->name)) { + continue; + } - if (!strncasecmp(hp->name, "from_", 5)) { - p = hp->name + 5; - switch_snprintf(hname, sizeof(hname), "to_%s", p); - name = hname; - } else if (!strncasecmp(hp->name, "to_", 3)) { - p = hp->name + 3; - switch_snprintf(hname, sizeof(hname), "from_%s", p); - name = hname; - } else if (!strcasecmp(name, "to")) { - name = "from"; - } else if (!strcasecmp(name, "from")) { - name = "to"; - } + if (todup->subclass_name && !strcasecmp(hp->name, "Event-Subclass")) { + continue; + } - if (hp->idx) { - int i; - for (i = 0; i < hp->idx; i++) { - switch_event_add_header_string(*event, SWITCH_STACK_PUSH, name, hp->array[i]); - } - } else { - switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, name, value); - } - } + name = hp->name; + value = hp->value; - switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, "replying", "true"); + if (zstr(value) && hp->idx == 0) { + continue; + } - if (todup->body) { - switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, "orig_body", todup->body); - } + if (!strncasecmp(name, "from_", 5)) { + p = name + 5; + switch_snprintf(hname, sizeof(hname), "to_%s", p); + name = hname; + } else if (!strncasecmp(name, "to_", 3)) { + p = name + 3; + switch_snprintf(hname, sizeof(hname), "from_%s", p); + name = hname; + } else if (!strcasecmp(name, "to")) { + name = "from"; + } else if (!strcasecmp(name, "from")) { + name = "to"; + } - (*event)->key = todup->key; + if (hp->idx > 0 && hp->array) { + for (int i = 0; i < hp->idx; i++) { + if (!zstr(hp->array[i])) { + switch_event_add_header_string(*event, SWITCH_STACK_PUSH, name, hp->array[i]); + } + } + } else if (!zstr(value)) { + switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, name, value); + } + } - return SWITCH_STATUS_SUCCESS; + switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, "replying", "true"); + + if (!zstr(todup->body)) { + switch_event_add_header_string(*event, SWITCH_STACK_BOTTOM, "orig_body", todup->body); + } + + (*event)->key = todup->key; + + return SWITCH_STATUS_SUCCESS; } #define SWITCH_SERIALIZED_EVENT_MAP "S(iiisss)A(S(ss))"