From 7369d96f8361c523a7ae4753391a9a7336a89fb8 Mon Sep 17 00:00:00 2001 From: Benny Prijono Date: Tue, 8 Oct 2013 09:08:13 +0000 Subject: Re #1703: fixing general bugs. First installment: correct handling of snprintf return value git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4613 74dad513-b988-da41-8d7b-12977e46ad98 --- pjlib-util/src/pjlib-util/dns_dump.c | 8 ++++---- pjlib-util/src/pjlib-util/errno.c | 3 ++- pjlib-util/src/pjlib-util/http_client.c | 12 ++++++++---- pjlib/src/pj/errno.c | 13 +++++++++---- pjlib/src/pj/lock.c | 2 +- pjlib/src/pj/log.c | 3 +++ pjlib/src/pj/os_error_symbian.cpp | 2 +- pjlib/src/pj/ssl_sock_ossl.c | 3 ++- pjmedia/src/pjmedia-audiodev/alsa_dev.c | 29 +++++++++++++++++++++++------ pjmedia/src/pjmedia-audiodev/errno.c | 3 ++- pjmedia/src/pjmedia-videodev/errno.c | 3 ++- pjmedia/src/pjmedia/endpoint.c | 10 +++++----- pjmedia/src/pjmedia/errno.c | 3 ++- pjmedia/src/pjmedia/ffmpeg_util.c | 2 ++ pjmedia/src/pjmedia/sdp.c | 4 ++-- pjmedia/src/pjmedia/stream.c | 2 ++ pjmedia/src/pjmedia/transport_ice.c | 4 ++-- pjmedia/src/pjmedia/transport_srtp.c | 7 ++++++- pjmedia/src/pjmedia/vid_stream.c | 2 ++ pjnath/src/pjnath/errno.c | 8 ++++---- pjnath/src/pjnath/stun_msg.c | 3 ++- pjsip-apps/src/samples/icedemo.c | 3 ++- pjsip/src/pjsip-simple/errno.c | 3 ++- pjsip/src/pjsip-ua/sip_100rel.c | 3 +++ pjsip/src/pjsip/sip_errno.c | 3 ++- pjsip/src/pjsua-lib/pjsua_acc.c | 7 +++++-- pjsip/src/pjsua-lib/pjsua_aud.c | 6 ++++-- pjsip/src/pjsua-lib/pjsua_dump.c | 12 ++++++------ 28 files changed, 110 insertions(+), 53 deletions(-) diff --git a/pjlib-util/src/pjlib-util/dns_dump.c b/pjlib-util/src/pjlib-util/dns_dump.c index 95e58c79..c3c776ba 100644 --- a/pjlib-util/src/pjlib-util/dns_dump.c +++ b/pjlib-util/src/pjlib-util/dns_dump.c @@ -36,7 +36,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl) if (ttl > DAY) { len = pj_ansi_snprintf(p, size, "%dd ", ttl/DAY); - if (len < 1) + if (len < 1 || len >= size) return "-err-"; size -= len; p += len; @@ -45,7 +45,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl) if (ttl > HOUR) { len = pj_ansi_snprintf(p, size, "%dh ", ttl/HOUR); - if (len < 1) + if (len < 1 || len >= size) return "-err-"; size -= len; p += len; @@ -54,7 +54,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl) if (ttl > MINUTE) { len = pj_ansi_snprintf(p, size, "%dm ", ttl/MINUTE); - if (len < 1) + if (len < 1 || len >= size) return "-err-"; size -= len; p += len; @@ -63,7 +63,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl) if (ttl > 0) { len = pj_ansi_snprintf(p, size, "%ds ", ttl); - if (len < 1) + if (len < 1 || len >= size) return "-err-"; size -= len; p += len; diff --git a/pjlib-util/src/pjlib-util/errno.c b/pjlib-util/src/pjlib-util/errno.c index 1949d05e..29bd765b 100644 --- a/pjlib-util/src/pjlib-util/errno.c +++ b/pjlib-util/src/pjlib-util/errno.c @@ -166,7 +166,8 @@ pj_str_t pjlib_util_strerror(pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjlib-util error %d", statcode); - + if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjlib-util/src/pjlib-util/http_client.c b/pjlib-util/src/pjlib-util/http_client.c index 941683ef..ceb4c602 100644 --- a/pjlib-util/src/pjlib-util/http_client.c +++ b/pjlib-util/src/pjlib-util/http_client.c @@ -1358,6 +1358,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) if (chal->qop.slen == 0) { const pj_str_t STR_MD5 = { "MD5", 3 }; + int max_len; /* Server doesn't require quality of protection. */ auth_create_digest_response(&digest_response, cred, @@ -1365,8 +1366,9 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) &hreq->hurl.path, &chal->realm, &hreq->param.method); + max_len = len; len = pj_ansi_snprintf( - phdr->value.ptr, len, + phdr->value.ptr, max_len, "Digest username=\"%.*s\", " "realm=\"%.*s\", " "nonce=\"%.*s\", " @@ -1379,7 +1381,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) STR_PREC(hreq->hurl.path), STR_PREC(STR_MD5), STR_PREC(digest_response)); - if (len < 0) + if (len < 0 || len >= max_len) return PJ_ETOOSMALL; phdr->value.slen = len; @@ -1391,13 +1393,15 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) const pj_str_t qop = pj_str("auth"); const pj_str_t nc = pj_str("00000001"); const pj_str_t cnonce = pj_str("b39971"); + int max_len; auth_create_digest_response(&digest_response, cred, &chal->nonce, &nc, &cnonce, &qop, &hreq->hurl.path, &chal->realm, &hreq->param.method); + max_len = len; len = pj_ansi_snprintf( - phdr->value.ptr, len, + phdr->value.ptr, max_len, "Digest username=\"%.*s\", " "realm=\"%.*s\", " "nonce=\"%.*s\", " @@ -1416,7 +1420,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) STR_PREC(qop), STR_PREC(nc), STR_PREC(cnonce)); - if (len < 0) + if (len < 0 || len >= max_len) return PJ_ETOOSMALL; phdr->value.slen = len; diff --git a/pjlib/src/pj/errno.c b/pjlib/src/pj/errno.c index ebfeb9ed..ff54bd4b 100644 --- a/pjlib/src/pj/errno.c +++ b/pjlib/src/pj/errno.c @@ -91,6 +91,8 @@ static const struct */ static int pjlib_error(pj_status_t code, char *buf, pj_size_t size) { + int len; + #if defined(PJ_HAS_ERROR_STRING) && PJ_HAS_ERROR_STRING!=0 unsigned i; @@ -105,7 +107,10 @@ static int pjlib_error(pj_status_t code, char *buf, pj_size_t size) } #endif - return pj_ansi_snprintf( buf, size, "Unknown pjlib error %d", code); + len = pj_ansi_snprintf( buf, size, "Unknown pjlib error %d", code); + if (len < 1 || len >= (int)size) + len = size - 1; + return len; } #define IN_RANGE(val,start,end) ((val)>=(start) && (val)<(end)) @@ -199,9 +204,9 @@ PJ_DEF(pj_str_t) pj_strerror( pj_status_t statcode, len = pj_ansi_snprintf( buf, bufsize, "Unknown error %d", statcode); } - if (len < 1) { - *buf = '\0'; - len = 0; + if (len < 1 || len >= (int)bufsize) { + len = bufsize - 1; + buf[len] = '\0'; } errstr.ptr = buf; diff --git a/pjlib/src/pj/lock.c b/pjlib/src/pj/lock.c index a521fd49..d7f4ffaf 100644 --- a/pjlib/src/pj/lock.c +++ b/pjlib/src/pj/lock.c @@ -683,7 +683,7 @@ PJ_DEF(void) pj_grp_lock_dump(pj_grp_lock_t *grp_lock) int len; len = pj_ansi_snprintf(start, max_len, "%s:%d ", ref->file, ref->line); - if (len < 1 || len > max_len) { + if (len < 1 || len >= max_len) { len = strlen(ref->file); if (len > max_len - 1) len = max_len - 1; diff --git a/pjlib/src/pj/log.c b/pjlib/src/pj/log.c index 47b6b0fc..bb808dac 100644 --- a/pjlib/src/pj/log.c +++ b/pjlib/src/pj/log.c @@ -445,6 +445,9 @@ PJ_DEF(void) pj_log( const char *sender, int level, print_len = pj_ansi_snprintf(pre, sizeof(log_buffer)-len, ""); } + if (print_len < 1 || print_len >= (int)(sizeof(log_buffer)-len)) { + print_len = sizeof(log_buffer) - len - 1; + } len = len + print_len; if (len > 0 && len < (int)sizeof(log_buffer)-2) { if (log_decor & PJ_LOG_HAS_CR) { diff --git a/pjlib/src/pj/os_error_symbian.cpp b/pjlib/src/pj/os_error_symbian.cpp index 4af9b30e..d04907fe 100644 --- a/pjlib/src/pj/os_error_symbian.cpp +++ b/pjlib/src/pj/os_error_symbian.cpp @@ -162,7 +162,7 @@ PJ_DEF(int) platform_strerror( pj_os_err_type os_errcode, } if (!len) { - len = pj_ansi_snprintf( buf, bufsize, "Symbian native error %d", + len = pj_ansi_snprintf( buf, bufsize-1, "Symbian native error %d", os_errcode); buf[len] = '\0'; } diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c index 281e6f8a..7c2b8461 100644 --- a/pjlib/src/pj/ssl_sock_ossl.c +++ b/pjlib/src/pj/ssl_sock_ossl.c @@ -272,7 +272,8 @@ static pj_str_t ssl_strerror(pj_status_t status, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown OpenSSL error %lu", ssl_err); - + if (errstr.slen < 1 || errstr.slen >= (int)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjmedia/src/pjmedia-audiodev/alsa_dev.c b/pjmedia/src/pjmedia-audiodev/alsa_dev.c index efda3190..997b5894 100644 --- a/pjmedia/src/pjmedia-audiodev/alsa_dev.c +++ b/pjmedia/src/pjmedia-audiodev/alsa_dev.c @@ -171,7 +171,7 @@ static void alsa_error_handler (const char *file, ...) { char err_msg[128]; - int index; + int index, len; va_list arg; #ifndef NDEBUG @@ -180,13 +180,30 @@ static void alsa_error_handler (const char *file, #else index = snprintf (err_msg, sizeof(err_msg), "ALSA lib: "); #endif + if (index < 1 || index >= (int)sizeof(err_msg)) { + index = sizeof(err_msg)-1; + err_msg[index] = '\0'; + goto print_msg; + } + va_start (arg, fmt); - if (index < sizeof(err_msg)-1) - index += vsnprintf (err_msg+index, sizeof(err_msg)-index, fmt, arg); + if (index < sizeof(err_msg)-1) { + len = vsnprintf( err_msg+index, sizeof(err_msg)-index, fmt, arg); + if (len < 1 || len >= (int)sizeof(err_msg)-index) + len = sizeof(err_msg)-index-1; + index += len; + err_msg[index] = '\0'; + } va_end(arg); - if (err && index < sizeof(err_msg)-1) - index += snprintf (err_msg+index, sizeof(err_msg)-index, ": %s", - snd_strerror(err)); + if (err && index < sizeof(err_msg)-1) { + len = snprintf( err_msg+index, sizeof(err_msg)-index, ": %s", + snd_strerror(err)); + if (len < 1 || len >= (int)sizeof(err_msg)-index) + len = sizeof(err_msg)-index-1; + index += len; + err_msg[index] = '\0'; + } +print_msg: PJ_LOG (4,(THIS_FILE, "%s", err_msg)); } diff --git a/pjmedia/src/pjmedia-audiodev/errno.c b/pjmedia/src/pjmedia-audiodev/errno.c index a928485a..f22ee2ea 100644 --- a/pjmedia/src/pjmedia-audiodev/errno.c +++ b/pjmedia/src/pjmedia-audiodev/errno.c @@ -214,7 +214,8 @@ PJ_DEF(pj_str_t) pjmedia_audiodev_strerror(pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjmedia-audiodev error %d", statcode); - + if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjmedia/src/pjmedia-videodev/errno.c b/pjmedia/src/pjmedia-videodev/errno.c index d6c0da24..ee5197a4 100644 --- a/pjmedia/src/pjmedia-videodev/errno.c +++ b/pjmedia/src/pjmedia-videodev/errno.c @@ -111,7 +111,8 @@ PJ_DEF(pj_str_t) pjmedia_videodev_strerror(pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjmedia-videodev error %d", statcode); - + if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjmedia/src/pjmedia/endpoint.c b/pjmedia/src/pjmedia/endpoint.c index 1a9d2eb6..6abc680d 100644 --- a/pjmedia/src/pjmedia/endpoint.c +++ b/pjmedia/src/pjmedia/endpoint.c @@ -490,9 +490,9 @@ PJ_DEF(pj_status_t) pjmedia_endpt_create_audio_sdp(pjmedia_endpt *endpt, pjmedia_codec_fmtp *dec_fmtp = &codec_param.setting.dec_fmtp; /* Print codec PT */ - buf_len += pj_ansi_snprintf(buf, - MAX_FMTP_STR_LEN - buf_len, - "%d", + buf_len += pj_ansi_snprintf(buf, + MAX_FMTP_STR_LEN - buf_len, + "%d", codec_info->pt); for (i = 0; i < dec_fmtp->cnt; ++i) { @@ -500,7 +500,7 @@ PJ_DEF(pj_status_t) pjmedia_endpt_create_audio_sdp(pjmedia_endpt *endpt, /* Check if buf still available */ test_len = dec_fmtp->param[i].val.slen + - dec_fmtp->param[i].name.slen; + dec_fmtp->param[i].name.slen + 2; if (test_len + buf_len >= MAX_FMTP_STR_LEN) return PJ_ETOOBIG; @@ -686,7 +686,7 @@ PJ_DEF(pj_status_t) pjmedia_endpt_create_video_sdp(pjmedia_endpt *endpt, /* Check if buf still available */ test_len = dec_fmtp->param[j].val.slen + - dec_fmtp->param[j].name.slen; + dec_fmtp->param[j].name.slen + 2; if (test_len + buf_len >= MAX_FMTP_STR_LEN) return PJ_ETOOBIG; diff --git a/pjmedia/src/pjmedia/errno.c b/pjmedia/src/pjmedia/errno.c index 7a8538eb..a4584739 100644 --- a/pjmedia/src/pjmedia/errno.c +++ b/pjmedia/src/pjmedia/errno.c @@ -266,7 +266,8 @@ PJ_DEF(pj_str_t) pjmedia_strerror( pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjmedia error %d", statcode); - + if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjmedia/src/pjmedia/ffmpeg_util.c b/pjmedia/src/pjmedia/ffmpeg_util.c index 4698191f..da2d5a19 100644 --- a/pjmedia/src/pjmedia/ffmpeg_util.c +++ b/pjmedia/src/pjmedia/ffmpeg_util.c @@ -114,6 +114,8 @@ static void ffmpeg_log_cb(void* ptr, int level, const char* fmt, va_list vl) if (ptr) { AVClass* avc = *(AVClass**)ptr; len = pj_ansi_snprintf(buf, bufsize, "%s: ", avc->item_name(ptr)); + if (len < 1 || len >= bufsize) + len = bufsize - 1; bufsize -= len; } diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c index 4155f6a4..5451ed35 100644 --- a/pjmedia/src/pjmedia/sdp.c +++ b/pjmedia/src/pjmedia/sdp.c @@ -503,7 +503,7 @@ PJ_DEF(pj_status_t) pjmedia_sdp_rtpmap_to_attr(pj_pool_t *pool, (int)rtpmap->param.slen, rtpmap->param.ptr); - if (len < 1 || len > (int)sizeof(tempbuf)) + if (len < 1 || len >= (int)sizeof(tempbuf)) return PJMEDIA_SDP_ERTPMAPTOOLONG; attr->value.slen = len; @@ -526,7 +526,7 @@ static int print_connection_info( pjmedia_sdp_conn *c, char *buf, int len) c->addr_type.ptr, (int)c->addr.slen, c->addr.ptr); - if (printed < 1 || printed > len) + if (printed < 1 || printed >= len) return -1; return printed; diff --git a/pjmedia/src/pjmedia/stream.c b/pjmedia/src/pjmedia/stream.c index 9a8bde3f..d051dc43 100644 --- a/pjmedia/src/pjmedia/stream.c +++ b/pjmedia/src/pjmedia/stream.c @@ -2411,6 +2411,8 @@ PJ_DEF(pj_status_t) pjmedia_stream_create( pjmedia_endpt *endpt, "Time, Operation, Size, Frame Count, " "Frame type, RTP Seq, RTP TS, RTP M, " "JB size, JB burst level, JB prefetch\n"); + if (len < 1 || len >= PJ_LOG_MAX_SIZE) + len = PJ_LOG_MAX_SIZE-1; pj_file_write(stream->trace_jb_fd, stream->trace_jb_buf, &len); pj_file_flush(stream->trace_jb_fd); } diff --git a/pjmedia/src/pjmedia/transport_ice.c b/pjmedia/src/pjmedia/transport_ice.c index 9ce9a333..b6009260 100644 --- a/pjmedia/src/pjmedia/transport_ice.c +++ b/pjmedia/src/pjmedia/transport_ice.c @@ -349,7 +349,7 @@ static int print_sdp_cand_attr(char *buffer, int max_len, len2 = -1; break; } - if (len2 < 1 || len2 >= max_len) + if (len2 < 1 || len2 >= max_len-len) return -1; return len+len2; @@ -545,7 +545,7 @@ static pj_status_t encode_session_in_sdp(struct transport_ice *tp_ice, comp+1, rem_addr, pj_sockaddr_get_port(&check->rcand->addr) ); - if (len < 1 || len >= RATTR_BUF_LEN) { + if (len < 1 || len >= RATTR_BUF_LEN - rem_cand.slen) { pj_assert(!"Not enough buffer to print " "remote-candidates"); return PJ_EBUG; diff --git a/pjmedia/src/pjmedia/transport_srtp.c b/pjmedia/src/pjmedia/transport_srtp.c index 176b2d42..85b43282 100644 --- a/pjmedia/src/pjmedia/transport_srtp.c +++ b/pjmedia/src/pjmedia/transport_srtp.c @@ -1043,6 +1043,7 @@ static pj_status_t generate_crypto_attr_value(pj_pool_t *pool, int cs_idx = get_crypto_idx(&crypto->name); char b64_key[PJ_BASE256_TO_BASE64_LEN(MAX_KEY_LEN)+1]; int b64_key_len = sizeof(b64_key); + int print_len; if (cs_idx == -1) return PJMEDIA_SRTP_ENOTSUPCRYPTO; @@ -1101,10 +1102,14 @@ static pj_status_t generate_crypto_attr_value(pj_pool_t *pool, b64_key_len + 16), PJ_ETOOSMALL); /* Print the crypto attribute value. */ - *buffer_len = pj_ansi_snprintf(buffer, *buffer_len, "%d %s inline:%s", + print_len = pj_ansi_snprintf(buffer, *buffer_len, "%d %s inline:%s", tag, crypto_suites[cs_idx].name, b64_key); + if (print_len < 1 || print_len >= *buffer_len) + return PJ_ETOOSMALL; + + *buffer_len = print_len; return PJ_SUCCESS; } diff --git a/pjmedia/src/pjmedia/vid_stream.c b/pjmedia/src/pjmedia/vid_stream.c index 4b84b8bc..b6cc36dc 100644 --- a/pjmedia/src/pjmedia/vid_stream.c +++ b/pjmedia/src/pjmedia/vid_stream.c @@ -1650,6 +1650,8 @@ PJ_DEF(pj_status_t) pjmedia_vid_stream_create( "Time, Operation, Size, Frame Count, " "Frame type, RTP Seq, RTP TS, RTP M, " "JB size, JB burst level, JB prefetch\n"); + if (len < 1 || len >= PJ_LOG_MAX_SIZE) + len = PJ_LOG_MAX_SIZE - 1; pj_file_write(stream->trace_jb_fd, stream->trace_jb_buf, &len); pj_file_flush(stream->trace_jb_fd); } diff --git a/pjnath/src/pjnath/errno.c b/pjnath/src/pjnath/errno.c index df4bdcb7..a6bb471a 100644 --- a/pjnath/src/pjnath/errno.c +++ b/pjnath/src/pjnath/errno.c @@ -133,8 +133,8 @@ static pj_str_t pjnath_strerror(pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjnath error %d", statcode); - if (errstr.slen < 0) errstr.slen = 0; - else if (errstr.slen > (int)bufsize) errstr.slen = bufsize; + if (errstr.slen < 1 || errstr.slen >= (int)bufsize) + errstr.slen = bufsize-1; return errstr; } @@ -164,8 +164,8 @@ static pj_str_t pjnath_strerror2(pj_status_t statcode, buf[bufsize-1] = '\0'; } - if (errstr.slen < 0) errstr.slen = 0; - else if (errstr.slen > (int)bufsize) errstr.slen = bufsize; + if (errstr.slen < 1 || errstr.slen >= (int)bufsize) + errstr.slen = bufsize-1; return errstr; } diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c index ffdf09f1..cce914e2 100644 --- a/pjnath/src/pjnath/stun_msg.c +++ b/pjnath/src/pjnath/stun_msg.c @@ -2451,7 +2451,8 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, "%s in %s", err_msg1, pj_stun_get_attr_name(attr_type)); - + if (e.slen < 1 || e.slen >= (int)sizeof(err_msg2)) + e.slen = sizeof(err_msg2) - 1; pj_stun_msg_create_response(pool, msg, PJ_STUN_SC_BAD_REQUEST, &e, p_response); diff --git a/pjsip-apps/src/samples/icedemo.c b/pjsip-apps/src/samples/icedemo.c index 4cb9f221..266b800a 100644 --- a/pjsip-apps/src/samples/icedemo.c +++ b/pjsip-apps/src/samples/icedemo.c @@ -517,7 +517,8 @@ static void icedemo_stop_session(void) #define PRINT(fmt, arg0, arg1, arg2, arg3, arg4, arg5) \ printed = pj_ansi_snprintf(p, maxlen - (p-buffer), \ fmt, arg0, arg1, arg2, arg3, arg4, arg5); \ - if (printed <= 0) return -PJ_ETOOSMALL; \ + if (printed <= 0 || printed >= (int)(maxlen - (p-buffer))) \ + return -PJ_ETOOSMALL; \ p += printed diff --git a/pjsip/src/pjsip-simple/errno.c b/pjsip/src/pjsip-simple/errno.c index 91a066d3..3c8c7f8b 100644 --- a/pjsip/src/pjsip-simple/errno.c +++ b/pjsip/src/pjsip-simple/errno.c @@ -110,7 +110,8 @@ PJ_DEF(pj_str_t) pjsipsimple_strerror( pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjsip-simple error %d", statcode); - + if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjsip/src/pjsip-ua/sip_100rel.c b/pjsip/src/pjsip-ua/sip_100rel.c index 60b989b2..0fb07e79 100644 --- a/pjsip/src/pjsip-ua/sip_100rel.c +++ b/pjsip/src/pjsip-ua/sip_100rel.c @@ -344,6 +344,9 @@ PJ_DEF(pj_status_t) pjsip_100rel_create_prack( pjsip_inv_session *inv, rseq, rdata->msg_info.cseq->cseq, (int)tsx->method.name.slen, tsx->method.name.ptr); + if (rack.slen < 1 || rack.slen >= (int)sizeof(rack_buf)) { + return PJ_ETOOSMALL; + } rack_hdr = pjsip_generic_string_hdr_create(tdata->pool, &RACK, &rack); pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr*) rack_hdr); diff --git a/pjsip/src/pjsip/sip_errno.c b/pjsip/src/pjsip/sip_errno.c index 806733f1..449f65c3 100644 --- a/pjsip/src/pjsip/sip_errno.c +++ b/pjsip/src/pjsip/sip_errno.c @@ -204,7 +204,8 @@ PJ_DEF(pj_str_t) pjsip_strerror( pj_status_t statcode, errstr.slen = pj_ansi_snprintf(buf, bufsize, "Unknown pjsip error %d", statcode); - + if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize) + errstr.slen = bufsize - 1; return errstr; } diff --git a/pjsip/src/pjsua-lib/pjsua_acc.c b/pjsip/src/pjsua-lib/pjsua_acc.c index 77d9a12c..8533c793 100644 --- a/pjsip/src/pjsua-lib/pjsua_acc.c +++ b/pjsip/src/pjsua-lib/pjsua_acc.c @@ -1749,7 +1749,7 @@ static pj_bool_t acc_check_nat_addr(pjsua_acc *acc, (acc->cfg.use_rfc5626? ob: ""), (int)acc->cfg.contact_params.slen, acc->cfg.contact_params.ptr); - if (len < 1) { + if (len < 1 || len >= PJSIP_MAX_URL_SIZE) { PJ_LOG(1,(THIS_FILE, "URI too long")); pj_pool_release(pool); return PJ_FALSE; @@ -3101,7 +3101,8 @@ PJ_DEF(pj_status_t) pjsua_acc_create_uac_contact( pj_pool_t *pool, (acc->cfg.use_rfc5626? ob: ""), (int)acc->cfg.contact_params.slen, acc->cfg.contact_params.ptr); - + if (contact->slen < 1 || contact->slen >= (int)PJSIP_MAX_URL_SIZE) + return PJ_ETOOSMALL; return PJ_SUCCESS; } @@ -3271,6 +3272,8 @@ PJ_DEF(pj_status_t) pjsua_acc_create_uas_contact( pj_pool_t *pool, acc->cfg.contact_uri_params.ptr, (int)acc->cfg.contact_params.slen, acc->cfg.contact_params.ptr); + if (contact->slen < 1 || contact->slen >= (int)PJSIP_MAX_URL_SIZE) + return PJ_ETOOSMALL; return PJ_SUCCESS; } diff --git a/pjsip/src/pjsua-lib/pjsua_aud.c b/pjsip/src/pjsua-lib/pjsua_aud.c index d81ac9ab..e15c54aa 100644 --- a/pjsip/src/pjsua-lib/pjsua_aud.c +++ b/pjsip/src/pjsua-lib/pjsua_aud.c @@ -1759,12 +1759,14 @@ static pj_status_t open_snd_dev(pjmedia_snd_port_param *param) if (status==PJ_SUCCESS) { if (param->base.clock_rate != pjsua_var.media_cfg.clock_rate) { char tmp_buf[128]; - int tmp_buf_len = sizeof(tmp_buf); + int tmp_buf_len; - tmp_buf_len = pj_ansi_snprintf(tmp_buf, sizeof(tmp_buf)-1, + tmp_buf_len = pj_ansi_snprintf(tmp_buf, sizeof(tmp_buf), "%s (%dKHz)", rec_info.name, param->base.clock_rate/1000); + if (tmp_buf_len < 1 || tmp_buf_len >= (int)sizeof(tmp_buf)) + tmp_buf_len = sizeof(tmp_buf) - 1; pj_strset(&tmp, tmp_buf, tmp_buf_len); pjmedia_conf_set_port0_name(pjsua_var.mconf, &tmp); } else { diff --git a/pjsip/src/pjsua-lib/pjsua_dump.c b/pjsip/src/pjsua-lib/pjsua_dump.c index 2f8ef73c..8fbe8c49 100644 --- a/pjsip/src/pjsua-lib/pjsua_dump.c +++ b/pjsip/src/pjsua-lib/pjsua_dump.c @@ -128,7 +128,7 @@ static unsigned dump_media_stat(const char *indent, "" ); - if (len < 1 || len > end-p) { + if (len < 1 || len >= end-p) { *p = '\0'; return (unsigned)(p-buf); } @@ -186,7 +186,7 @@ static unsigned dump_media_stat(const char *indent, pj_math_stat_get_stddev(&stat->tx.jitter) / 1000.0 ); - if (len < 1 || len > end-p) { + if (len < 1 || len >= end-p) { *p = '\0'; return (unsigned)(p-buf); } @@ -201,7 +201,7 @@ static unsigned dump_media_stat(const char *indent, stat->rtt.last / 1000.0, pj_math_stat_get_stddev(&stat->rtt) / 1000.0 ); - if (len < 1 || len > end-p) { + if (len < 1 || len >= end-p) { *p = '\0'; return (unsigned)(p-buf); } @@ -259,7 +259,7 @@ static void dump_media_session(const char *indent, len = pj_ansi_snprintf(p, end-p, "%s #%d %s deactivated\n", indent, i, media_type_str); - if (len < 1 || len > end-p) { + if (len < 1 || len >= end-p) { *p = '\0'; return; } @@ -363,7 +363,7 @@ static void dump_media_session(const char *indent, codec_info, dir_str, rem_addr); - if (len < 1 || len > end-p) { + if (len < 1 || len >= end-p) { *p = '\0'; return; } @@ -470,7 +470,7 @@ static void dump_media_session(const char *indent, sprintf(s, "%d", v) # define VALIDATE_PRINT_BUF() \ - if (len < 1 || len > end-p) { *p = '\0'; return; } \ + if (len < 1 || len >= end-p) { *p = '\0'; return; } \ p += len; *p++ = '\n'; *p = '\0' -- cgit v1.2.3