diff options
author | Corey Farrell <git@cfware.com> | 2016-01-25 12:03:21 -0500 |
---|---|---|
committer | Corey Farrell <git@cfware.com> | 2016-01-25 11:13:11 -0600 |
commit | 830f8933c29f36484e7a106c9c92446bab6a555c (patch) | |
tree | 99da6fb1432704968d785e43fe9b19f6af546893 /channels | |
parent | 8c75371589a9191d981a7f2a6c219636ee5c995f (diff) |
chan_sip: Fix buffer overrun in sip_sipredirect.
sip_sipredirect uses sscanf to copy up to 256 characters to a stacked buffer
of 256 characters. This patch reduces the copy to 255 characters to leave
room for the string null terminator.
ASTERISK-25722 #close
Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab
Diffstat (limited to 'channels')
-rw-r--r-- | channels/chan_sip.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 9e870275d..a3c6fb296 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -33012,8 +33012,8 @@ static int sip_sipredirect(struct sip_pvt *p, const char *dest) memset(ldomain, 0, sizeof(ldomain)); local_to_header++; - /* This is okey because lhost and lport are as big as tmp */ - sscanf(local_to_header, "%256[^<>; ]", ldomain); + /* Will copy no more than 255 chars plus null terminator. */ + sscanf(local_to_header, "%255[^<>; ]", ldomain); if (ast_strlen_zero(ldomain)) { ast_log(LOG_ERROR, "Can't find the host address\n"); return 0; |