chan_sip: Fix buffer overrun in sip_sipredirect.

sip_sipredirect uses sscanf to copy up to 256 characters to a stacked buffer of 256 characters. This patch reduces the copy to 255 characters to leave room for the string null terminator. ASTERISK-25722 #close Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab
author: Corey Farrell <git@cfware.com> 2016-01-25 12:03:21 -0500
committer: Corey Farrell <git@cfware.com> 2016-01-25 12:06:28 -0500
commit: a6823bb0c4f33dd19c11cd30f23650a194c2dbb7 (patch)
tree: adf01347efab8aef87da2499ed55106954ea8ed8 /channels/chan_sip.c
parent: fcb6c1737d586d5e574d3c2f865157a9632979a7 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index c2df516e2..684431740 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -32954,8 +32954,8 @@ static int sip_sipredirect(struct sip_pvt *p, const char *dest)
 
 			memset(ldomain, 0, sizeof(ldomain));
 			local_to_header++;
-			/* This is okey because lhost and lport are as big as tmp */
-			sscanf(local_to_header, "%256[^<>; ]", ldomain);
+			/* Will copy no more than 255 chars plus null terminator. */
+			sscanf(local_to_header, "%255[^<>; ]", ldomain);
 			if (ast_strlen_zero(ldomain)) {
 				ast_log(LOG_ERROR, "Can't find the host address\n");
 				return 0;
author	Corey Farrell <git@cfware.com>	2016-01-25 12:03:21 -0500
committer	Corey Farrell <git@cfware.com>	2016-01-25 12:06:28 -0500
commit	a6823bb0c4f33dd19c11cd30f23650a194c2dbb7 (patch)
tree	adf01347efab8aef87da2499ed55106954ea8ed8 /channels/chan_sip.c
parent	fcb6c1737d586d5e574d3c2f865157a9632979a7 (diff)