mgcp: NUL-terminate MGCP message

The MGCP message isn't always NUL-terminated when arriving at
mgcp_handle_message(). This may lead to undefined results.

This patch ensures that the message text is NUL-terminated by
setting *msg->tail to '\0' in mgcp_handle_message().

Addresses:
<000b> mgcp_protocol.c:642 Unhandled option: 'r'/114 on 0x3
<000b> mgcp_protocol.c:593 Unhandled SDP option: '='/61 on 0x3
<000b> mgcp_protocol.c:871 Unhandled option: '.'/46 on 0x2

Sponsored-by: On-Waves ehf

1 files changed, 15 insertions, 1 deletions

diff --git a/openbsc/src/libmgcp/mgcp_protocol.c b/openbsc/src/libmgcp/mgcp_protocol.c
index d4a23a7d7..645b8a75e 100644
--- a/openbsc/src/libmgcp/mgcp_protocol.c
+++ b/openbsc/src/libmgcp/mgcp_protocol.c
@@ -261,12 +261,27 @@ struct msgb *mgcp_handle_message(struct mgcp_config *cfg, struct msgb *msg)
 	int i, code, handled = 0;
 	struct msgb *resp = NULL;
 	char *data;
+	unsigned char *tail = msg->l2h + msgb_l2len(msg); /* char after l2 data */
 
 	if (msgb_l2len(msg) < 4) {
 		LOGP(DMGCP, LOGL_ERROR, "msg too short: %d\n", msg->len);
 		return NULL;
 	}
 
+	/* Ensure that the msg->l2h is NUL terminated. */
+	if (tail[-1] == '\0')
+		/* nothing to do */;
+	else if (msgb_tailroom(msg) > 0)
+		tail[0] = '\0';
+	else if (tail[-1] == '\r' || tail[-1] == '\n')
+		tail[-1] = '\0';
+	else {
+		LOGP(DMGCP, LOGL_ERROR, "Cannot NUL terminate MGCP message: "
+		     "Length: %d, Buffer size: %d\n",
+		     msgb_l2len(msg), msg->data_len);
+		return NULL;
+	}
+
         /* attempt to treat it as a response */
         if (sscanf((const char *)&msg->l2h[0], "%3d %*s", &code) == 1) {
 		LOGP(DMGCP, LOGL_DEBUG, "Response: Code: %d\n", code);
@@ -278,7 +293,6 @@ struct msgb *mgcp_handle_message(struct mgcp_config *cfg, struct msgb *msg)
 
 	/*
 	 * Check for a duplicate message and respond.
-	 * FIXME: Verify that the msg->l3h is NULL terminated.
 	 */
 	memset(&pdata, 0, sizeof(pdata));
 	pdata.cfg = cfg;