From bf6423a33678d95896cfb6325572dab3a23e6d6a Mon Sep 17 00:00:00 2001 From: Mark Michelson Date: Tue, 6 Dec 2016 10:56:06 -0600 Subject: Iostreams: Correct off-by-one error. ast_iostream_printf() attempts first to use a fixed-size buffer to perform its printf-like operation. If the fixed-size buffer is too small, then a heap allocation is used instead. The heap allocation in this case was exactly the length of the string to print. The issue here is that the ensuing call to vsnprintf() will print a NULL byte in the final space of the string. This meant that the final character was being chopped off the string and replaced with a NULL byte. For HTTP in particular, this caused problems because HTTP publishes the expected Contact-Length. This meant HTTP was publishing a length one character larger than what was actually present in the message. This patch corrects the issue by adding one to the allocation length. ASTERISK-26629 Reported by Joshua Colp Change-Id: Ib3c5f41e96833d0415cf000656ac368168add639 --- main/iostream.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'main/iostream.c') diff --git a/main/iostream.c b/main/iostream.c index a20a04896..22cd5985c 100644 --- a/main/iostream.c +++ b/main/iostream.c @@ -404,7 +404,7 @@ ssize_t ast_iostream_write(struct ast_iostream *stream, const void *buf, size_t ssize_t ast_iostream_printf(struct ast_iostream *stream, const void *fmt, ...) { - char sbuf[256], *buf = sbuf; + char sbuf[512], *buf = sbuf; int len, len2, ret = -1; va_list va; @@ -412,15 +412,18 @@ ssize_t ast_iostream_printf(struct ast_iostream *stream, const void *fmt, ...) len = vsnprintf(buf, sizeof(sbuf), fmt, va); va_end(va); - if (len > sizeof(sbuf)) { - buf = ast_malloc(len); + if (len > sizeof(sbuf) - 1) { + /* Add one to the string length to accommodate the NULL byte */ + size_t buf_len = len + 1; + + buf = ast_malloc(buf_len); if (!buf) { return -1; } va_start(va, fmt); - len2 = vsnprintf(buf, len, fmt, va); + len2 = vsnprintf(buf, buf_len, fmt, va); va_end(va); - if (len2 > len) { + if (len2 != len) { goto error; } } -- cgit v1.2.3