diff options
| author | mmichelson <mmichelson@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-03-28 16:36:59 +0000 |
|---|---|---|
| committer | mmichelson <mmichelson@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-03-28 16:36:59 +0000 |
| commit | c94405d5d87eb0875f5eb3941d50059fb55c8e2d (patch) | |
| tree | fc8e0f26a840d8ca90e1d0e068d2fb9744c4eff9 | |
| parent | 1b359aad73a5cb02730616692b5ab2715bdf3ad8 (diff) | |
The copy_request function did not take into account the necessary null terminator
for the string to be copied into. This resulted in parse_request reading invalid
memory beyond the end of the string, and in some cases led to crashes. Thanks
to falves11 for providing the valgrind output which led to the closure of this issue.
(closes issue #12284)
Reported by: falves11
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@111662 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | channels/chan_sip.c | 8 | ||||
| -rw-r--r-- | include/asterisk/strings.h | 2 |
2 files changed, 5 insertions, 5 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fc176db02..6c7478ceb 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -8308,15 +8308,15 @@ static void copy_request(struct sip_request *dst, const struct sip_request *src) if (!dst->data && !(dst->data = ast_str_create(src->data->used))) return; else if (dst->data->len < src->data->used) - ast_str_make_space(&dst->data, src->data->used); + ast_str_make_space(&dst->data, src->data->used + 1); /* Account for null terminator needed */ - memcpy(dst->data->str, src->data->str, src->data->used); + ast_copy_string(dst->data->str, src->data->str, dst->data->len); dst->data->used = src->data->used; offset = ((void *)dst->data->str) - ((void *)src->data->str); /* Now fix pointer arithmetic */ - for (x=0; x < src->headers; x++) + for (x = 0; x < src->headers; x++) dst->header[x] += offset; - for (x=0; x < src->lines; x++) + for (x = 0; x < src->lines; x++) dst->line[x] += offset; /* On some occasions this function is called without parse_request being called first so lets not create an invalid pointer */ if (src->rlPart1) diff --git a/include/asterisk/strings.h b/include/asterisk/strings.h index 226c7bb67..fbff083ab 100644 --- a/include/asterisk/strings.h +++ b/include/asterisk/strings.h @@ -326,7 +326,7 @@ int ast_get_timeval(const char *src, struct timeval *tv, struct timeval _default */ struct ast_str { size_t len; /*!< The current maximum length of the string */ - size_t used; /*!< Amount of space used */ + size_t used; /*!< Amount of space used. Does not include string's null terminator */ struct ast_threadstorage *ts; /*!< What kind of storage is this ? */ #define DS_MALLOC ((struct ast_threadstorage *)1) #define DS_ALLOCA ((struct ast_threadstorage *)2) |