From 02480f906a9f44a3511172785e65e7e4127281ce Mon Sep 17 00:00:00 2001
From: philsmd <philsmd@hashcat.net>
Date: Wed, 15 Feb 2017 11:33:52 +0100
Subject: [PATCH 1/2] prevent buffer overflow in case of OPTS_TYPE_ST_ADD80
 and/or OPTS_TYPE_ST_ADD01

---
 src/interface.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/interface.c b/src/interface.c
index e3fd78889..9fce09f16 100644
--- a/src/interface.c
+++ b/src/interface.c
@@ -2109,11 +2109,15 @@ static u32 parse_and_store_salt (u8 *out, u8 *in, u32 salt_len, MAYBE_UNUSED con
 
   if (hashconfig->opts_type & OPTS_TYPE_ST_ADD80)
   {
+    if (len >= 256) return UINT_MAX;
+
     tmp[len++] = 0x80;
   }
 
   if (hashconfig->opts_type & OPTS_TYPE_ST_ADD01)
   {
+    if (len >= 256) return UINT_MAX;
+
     tmp[len++] = 0x01;
   }
 

From 12517f1b7af58833b6fe39f62ecbf0e0e0728897 Mon Sep 17 00:00:00 2001
From: philsmd <philsmd@hashcat.net>
Date: Wed, 15 Feb 2017 11:50:35 +0100
Subject: [PATCH 2/2] typo: don't add URI_prefix_len and URI_suffix_len twice

---
 src/interface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/interface.c b/src/interface.c
index 9fce09f16..f49488741 100644
--- a/src/interface.c
+++ b/src/interface.c
@@ -11013,12 +11013,12 @@ int sip_auth_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_U
 
   u32 md5_max_len = 4 * 64;
 
-  u32 total_length = method_len + 1 + URI_prefix_len + URI_prefix_len + URI_resource_len + URI_suffix_len + URI_suffix_len;
+  u32 total_length = method_len + 1 + URI_prefix_len + URI_resource_len + URI_suffix_len;
 
   if (URI_prefix_len) total_length++;
   if (URI_suffix_len) total_length++;
 
-  if (total_length > md5_max_len) return (PARSER_SALT_LENGTH);
+  if (total_length >= md5_max_len) return (PARSER_SALT_LENGTH);
 
   u32 md5_remaining_len = md5_max_len;