From 5f501b339ee2693bd7877af4cb87e723953d1da7 Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Tue, 3 Oct 2017 16:19:52 -0500 Subject: AST-2017-010: Fix cdr_object_update_party_b_userfield_cb() buf overrun cdr_object_update_party_b_userfield_cb() could overrun the fixed buffer if the supplied string is too long. The long string could be supplied by external means using the CDR(userfield) function. This may seem reminiscent to AST-2017-001 (ASTERISK_26897) and it is. The earlier patch fixed the buffer overrun for Party A's userfield while this patch fixes the same thing for Party B's userfield. ASTERISK-27337 Change-Id: I0fa767f65ecec7e676ca465306ff9e0edbf3b652 --- main/cdr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/main/cdr.c b/main/cdr.c index fdf764540..3681cdc6b 100644 --- a/main/cdr.c +++ b/main/cdr.c @@ -3407,7 +3407,8 @@ static int cdr_object_update_party_b_userfield_cb(void *obj, void *arg, void *da ast_assert(cdr->party_b.snapshot && !strcasecmp(cdr->party_b.snapshot->name, info->channel_name)); - strcpy(cdr->party_b.userfield, info->userfield); + ast_copy_string(cdr->party_b.userfield, info->userfield, + sizeof(cdr->party_b.userfield)); } return 0; @@ -3430,7 +3431,8 @@ void ast_cdr_setuserfield(const char *channel_name, const char *userfield) if (it_cdr->fn_table == &finalized_state_fn_table && it_cdr->next != NULL) { continue; } - ast_copy_string(it_cdr->party_a.userfield, userfield, AST_MAX_USER_FIELD); + ast_copy_string(it_cdr->party_a.userfield, userfield, + sizeof(it_cdr->party_a.userfield)); } ao2_unlock(cdr); } -- cgit v1.2.3