diff options
| author | Mark Michelson <mmichelson@digium.com> | 2008-03-28 20:03:16 +0000 |
|---|---|---|
| committer | Mark Michelson <mmichelson@digium.com> | 2008-03-28 20:03:16 +0000 |
| commit | bf4893fdce00ef1223f9ea2adf9fec5dcfcc82ac (patch) | |
| tree | 93e0ed44c826ef65f347d6920a0dc8ff2fba3b6c /channels | |
| parent | 3a0f4cc933283293a5b19eb11730eb3328f81052 (diff) | |
This time the fix is proper for issue 12284. I have tested it thoroughly and found
that valgrind no longer complains and that calls do complete correctly.
The fix is along the same lines as before: Make sure the final null terminator gets copied
into the new sip_request's data pointer. Without it, parse_request will read and potentially
write past the end of the string, causing potential crashes.
(closes issue #12284...for real this time!)
reported by falves11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@111811 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'channels')
| -rw-r--r-- | channels/chan_sip.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fc176db02..e7e0e9282 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -8305,18 +8305,24 @@ static void copy_request(struct sip_request *dst, const struct sip_request *src) memcpy(dst, src, sizeof(*dst)); dst->data = dup; - if (!dst->data && !(dst->data = ast_str_create(src->data->used))) + /* All these + 1's are to account for the need to include the NULL terminator + * Using typical string functions like ast_copy_string or ast_str_set will not + * work in this case because the src's data string is riddled with \0's all over + * the place and so a memcpy is the only way to accurately copy the string + */ + + if (!dst->data && !(dst->data = ast_str_create(src->data->used + 1))) return; else if (dst->data->len < src->data->used) - ast_str_make_space(&dst->data, src->data->used); + ast_str_make_space(&dst->data, src->data->used + 1); - memcpy(dst->data->str, src->data->str, src->data->used); + memcpy(dst->data->str, src->data->str, src->data->used + 1); dst->data->used = src->data->used; offset = ((void *)dst->data->str) - ((void *)src->data->str); /* Now fix pointer arithmetic */ - for (x=0; x < src->headers; x++) + for (x = 0; x < src->headers; x++) dst->header[x] += offset; - for (x=0; x < src->lines; x++) + for (x = 0; x < src->lines; x++) dst->line[x] += offset; /* On some occasions this function is called without parse_request being called first so lets not create an invalid pointer */ if (src->rlPart1) |