diff options
author | Richard Mudgett <rmudgett@digium.com> | 2015-08-21 15:26:30 -0500 |
---|---|---|
committer | Richard Mudgett <rmudgett@digium.com> | 2015-09-10 13:10:20 -0500 |
commit | 8b3ed52239b24546b1ee12156dadccb70db7403e (patch) | |
tree | e3aa1f852ee6bf6a11dd4677667e89f615a8c95f /res/res_pjsip_pubsub.c | |
parent | 4329bd1e4c059e714122465901ea2c46dd924b71 (diff) |
res_pjsip_pubsub.c: Fix one byte buffer overrun error.
ast_sip_pubsub_register_body_generator() did not account for the null
terminator set by sprintf() in the allocated output buffer.
Change-Id: I388688a132e479bca6ad1c19275eae0070969ae2
Diffstat (limited to 'res/res_pjsip_pubsub.c')
-rw-r--r-- | res/res_pjsip_pubsub.c | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index f8187897a..c60151e3c 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -2995,16 +2995,13 @@ int ast_sip_pubsub_register_body_generator(struct ast_sip_pubsub_body_generator AST_LIST_INSERT_HEAD(&body_generators, generator, list); AST_RWLIST_UNLOCK(&body_generators); - /* Lengths of type and subtype plus space for a slash. pj_str_t is not - * null-terminated, so there is no need to allocate for the extra null - * byte - */ + /* Lengths of type and subtype plus a slash. */ accept_len = strlen(generator->type) + strlen(generator->subtype) + 1; - accept.ptr = ast_alloca(accept_len); - accept.slen = accept_len; - /* Safe use of sprintf */ - sprintf(accept.ptr, "%s/%s", generator->type, generator->subtype); + /* Add room for null terminator that sprintf() will set. */ + pj_strset(&accept, ast_alloca(accept_len + 1), accept_len); + sprintf((char *) pj_strbuf(&accept), "%s/%s", generator->type, generator->subtype);/* Safe */ + pjsip_endpt_add_capability(ast_sip_get_pjsip_endpoint(), &pubsub_module, PJSIP_H_ACCEPT, NULL, 1, &accept); |