diff options
author | Jeremy McNamara <jj@nufone.net> | 2004-01-11 19:24:15 +0000 |
---|---|---|
committer | Jeremy McNamara <jj@nufone.net> | 2004-01-11 19:24:15 +0000 |
commit | 1e3bd03b927538ac1ba6d4ae84047f1547a448f8 (patch) | |
tree | dd930d797479241ce9f8b975a2f8f297a2c0693f /channels | |
parent | f6d7d4d020fb05b447da2fac54ae91c4065c5d94 (diff) |
More buffer overflow checks from Corydon76.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@1953 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'channels')
-rwxr-xr-x | channels/chan_sip.c | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fc051d466..5e91c9f3a 100755 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -626,7 +626,6 @@ static char *ditch_braces(char *tmp) { char *c = tmp; char *n; - c = tmp; if ((n = strchr(tmp, '<')) ) { c = n + 1; while(*c && *c != '>') c++; @@ -2528,13 +2527,13 @@ static int add_sdp(struct sip_request *resp, struct sip_pvt *p, struct ast_rtp * if (codec > -1) { snprintf(costr, sizeof(costr), " %d", codec); if (cur->codec < AST_FORMAT_MAX_AUDIO) { - strcat(m, costr); + strncat(m, costr, sizeof(m) - strlen(m)); snprintf(costr, sizeof(costr), "a=rtpmap:%d %s/8000\r\n", codec, ast_rtp_lookup_mime_subtype(1, cur->codec)); - strcat(a, costr); + strncat(a, costr, sizeof(a)); } else { - strcat(m2, costr); + strncat(m2, costr, sizeof(m2) - strlen(m2)); snprintf(costr, sizeof(costr), "a=rtpmap:%d %s/90000\r\n", codec, ast_rtp_lookup_mime_subtype(1, cur->codec)); - strcat(a2, costr); + strncat(a2, costr, sizeof(a2)); } } } @@ -2550,13 +2549,13 @@ static int add_sdp(struct sip_request *resp, struct sip_pvt *p, struct ast_rtp * if (codec > -1) { snprintf(costr, sizeof(costr), " %d", codec); if (x < AST_FORMAT_MAX_AUDIO) { - strcat(m, costr); + strncat(m, costr, sizeof(m) - strlen(m)); snprintf(costr, sizeof(costr), "a=rtpmap:%d %s/8000\r\n", codec, ast_rtp_lookup_mime_subtype(1, x)); - strcat(a, costr); + strncat(a, costr, sizeof(m) - strlen(a)); } else { - strcat(m2, costr); + strncat(m2, costr, sizeof(m2) - strlen(m2)); snprintf(costr, sizeof(costr), "a=rtpmap:%d %s/90000\r\n", codec, ast_rtp_lookup_mime_subtype(1, x)); - strcat(a2, costr); + strncat(a2, costr, sizeof(a2) - strlen(a2)); } } } @@ -2568,20 +2567,24 @@ static int add_sdp(struct sip_request *resp, struct sip_pvt *p, struct ast_rtp * codec = ast_rtp_lookup_code(p->rtp, 0, x); if (codec > -1) { snprintf(costr, sizeof(costr), " %d", codec); - strcat(m, costr); + strncat(m, costr, sizeof(m) - strlen(m)); snprintf(costr, sizeof(costr), "a=rtpmap:%d %s/8000\r\n", codec, ast_rtp_lookup_mime_subtype(0, x)); - strcat(a, costr); + strncat(a, costr, sizeof(a) - strlen(a)); if (x == AST_RTP_DTMF) { /* Indicate we support DTMF... Not sure about 16, but MSN supports it so dang it, we will too... */ snprintf(costr, sizeof costr, "a=fmtp:%d 0-16\r\n", codec); - strcat(a, costr); + strncat(a, costr, sizeof(a) - strlen(a)); } } } } - strcat(m, "\r\n"); - strcat(m2, "\r\n"); + if (strlen(m) < sizeof(m) - 2) + strcat(m, "\r\n"); + if (strlen(m2) < sizeof(m2) - 2) + strcat(m2, "\r\n"); + if ((sizeof(m) <= strlen(m) - 2) || (sizeof(m2) <= strlen(m2) - 2) || (sizeof(a) == strlen(a)) || (sizeof(a2) == strlen(a2))) + ast_log(LOG_WARNING, "SIP SDP may be truncated due to undersized buffer!!\n"); len = strlen(v) + strlen(s) + strlen(o) + strlen(c) + strlen(t) + strlen(m) + strlen(a); if (p->vrtp) len += strlen(m2) + strlen(a2); @@ -2925,6 +2928,8 @@ static int transmit_state_notify(struct sip_pvt *p, int state, int full) t = tmp + strlen(tmp); sprintf(t, "</dialog>\n</dialog-info>\n"); } + if (t > tmp + sizeof(tmp)) + ast_log(LOG_WARNING, "Buffer overflow detected!! (Please file a bug report)\n"); snprintf(clen, sizeof(clen), "%d", strlen(tmp)); add_header(&req, "Content-Length", clen); @@ -4513,6 +4518,8 @@ static int reply_digest(struct sip_pvt *p, struct sip_request *req, char *header if (c) c++; } + if (strlen(tmp) >= sizeof(tmp)) + ast_log(LOG_WARNING, "Buffer overflow detected! Please file a bug.\n"); /* copy realm and nonce for later authorization of CANCELs and BYEs */ strncpy(p->realm, realm, sizeof(p->realm)-1); |