From cdb156f197e4485e440828147ca18bb30588e170 Mon Sep 17 00:00:00 2001
From: tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b>
Date: Mon, 19 Jan 2009 19:49:25 +0000
Subject: Truncate userevents at the end of a line, when the command exceeds
 the buffer. (closes issue #14278)  Reported by: fnordian

git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@169364 f38db490-d61c-443f-a65b-d21fe96a405b
---
 apps/app_userevent.c | 11 ++++++++---
 main/manager.c       |  8 ++++++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/apps/app_userevent.c b/apps/app_userevent.c
index df7bc58a7..dd8000376 100644
--- a/apps/app_userevent.c
+++ b/apps/app_userevent.c
@@ -59,7 +59,7 @@ static int userevent_exec(struct ast_channel *chan, void *data)
 {
 	struct ast_module_user *u;
 	char *parse, buf[2048] = "";
-	int x, buflen = 0;
+	int x, buflen = 0, xlen;
 	AST_DECLARE_APP_ARGS(args,
 		AST_APP_ARG(eventname);
 		AST_APP_ARG(extra)[100];
@@ -77,8 +77,13 @@ static int userevent_exec(struct ast_channel *chan, void *data)
 	AST_STANDARD_APP_ARGS(args, parse);
 
 	for (x = 0; x < args.argc - 1; x++) {
-		ast_copy_string(buf + buflen, args.extra[x], sizeof(buf) - buflen - 2);
-		buflen += strlen(args.extra[x]);
+		/* Stop once a header comes up that exceeds our buffer. */
+		if (sizeof(buf) <= buflen + (xlen = strlen(args.extra[x])) + 3) {
+			ast_log(LOG_WARNING, "UserEvent exceeds our buffer length!  Truncating.\n");
+			break;
+		}
+		ast_copy_string(buf + buflen, args.extra[x], sizeof(buf) - buflen - 3);
+		buflen += xlen;
 		ast_copy_string(buf + buflen, "\r\n", 3);
 		buflen += 2;
 	}
diff --git a/main/manager.c b/main/manager.c
index c0245ad2a..7f436ad94 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -2142,11 +2142,15 @@ static int action_userevent(struct mansession *s, const struct message *m)
 {
 	const char *event = astman_get_header(m, "UserEvent");
 	char body[2048] = "";
-	int x, bodylen = 0;
+	int x, bodylen = 0, xlen;
 	for (x = 0; x < m->hdrcount; x++) {
 		if (strncasecmp("UserEvent:", m->headers[x], strlen("UserEvent:"))) {
+			if (sizeof(body) < bodylen + (xlen = strlen(m->headers[x])) + 3) {
+				ast_log(LOG_WARNING, "UserEvent exceeds our buffer length.  Truncating.\n");
+				break;
+			}
 			ast_copy_string(body + bodylen, m->headers[x], sizeof(body) - bodylen - 3);
-			bodylen += strlen(m->headers[x]);
+			bodylen += xlen;
 			ast_copy_string(body + bodylen, "\r\n", 3);
 			bodylen += 2;
 		}
-- 
cgit v1.2.3