From 6af7fc4c37b314ba2bf3380d44c7e4ac409787e2 Mon Sep 17 00:00:00 2001 From: Joshua Colp Date: Thu, 3 Mar 2016 10:26:10 -0400 Subject: res_pjsip_dtmf_info: NULL terminate the message body. PJSIP does not ensure that when printing the message body the buffer will be NULL terminated. This is problematic when searching for the signal and duration values of the DTMF. This change ensures the buffer is always NULL terminated. Change-Id: I52653a1a60c93092d06af31a27408d569cc98968 --- res/res_pjsip_dtmf_info.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/res/res_pjsip_dtmf_info.c b/res/res_pjsip_dtmf_info.c index 78d529c30..47ccd1ae5 100644 --- a/res/res_pjsip_dtmf_info.c +++ b/res/res_pjsip_dtmf_info.c @@ -82,14 +82,13 @@ static char get_event(const char *c) static int dtmf_info_incoming_request(struct ast_sip_session *session, struct pjsip_rx_data *rdata) { pjsip_msg_body *body = rdata->msg_info.msg->body; - char buf[body ? body->len : 0]; + char buf[body ? body->len + 1 : 1]; char *cur = buf; char *line; - char event = '\0'; unsigned int duration = 100; - char is_dtmf; + int res; if (!session->channel) { return 0; @@ -107,7 +106,12 @@ static int dtmf_info_incoming_request(struct ast_sip_session *session, struct pj return 0; } - body->print_body(body, buf, body->len); + res = body->print_body(body, buf, body->len); + if (res < 0) { + send_response(session, rdata, 500); + return 0; + } + buf[res] = '\0'; if (is_dtmf) { /* directly use what is in the message body */ -- cgit v1.2.3