diff options
author | kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b> | 2006-08-16 18:58:43 +0000 |
---|---|---|
committer | kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b> | 2006-08-16 18:58:43 +0000 |
commit | 5679124fb229a1d46487d386a189b39f940019bb (patch) | |
tree | 409ac9d39747ec5ad42f8b044141fcbf09bf0c90 /channels/chan_mgcp.c | |
parent | ce13dec6218e8cec38084f550da47d24e7b69950 (diff) |
Merged revisions 40057 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.2
........
r40057 | kpfleming | 2006-08-16 13:57:44 -0500 (Wed, 16 Aug 2006) | 2 lines
don't allow AUEP responses to overflow the stack during a string copy (reported by Mu Security)
........
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@40058 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'channels/chan_mgcp.c')
-rw-r--r-- | channels/chan_mgcp.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/channels/chan_mgcp.c b/channels/chan_mgcp.c index 07da3a75d..434d2ece0 100644 --- a/channels/chan_mgcp.c +++ b/channels/chan_mgcp.c @@ -2460,12 +2460,14 @@ static void handle_response(struct mgcp_endpoint *p, struct mgcp_subchannel *sub if (strncasecmp(v, p->sub->cxident, len) && strncasecmp(v, p->sub->next->cxident, len)) { /* connection id not found. delete it */ - char cxident[80]; - memcpy(cxident, v, len); - cxident[len] = '\0'; + char cxident[80] = ""; + + if (len > (sizeof(cxident) - 1)) + len = sizeof(cxident) - 1; + ast_copy_string(cxident, v, len); if (option_verbose > 2) { ast_verbose(VERBOSE_PREFIX_3 "Non existing connection id %s on %s@%s \n", - cxident, p->name, gw->name); + cxident, p->name, gw->name); } transmit_connection_del_w_params(p, NULL, cxident); } |