kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-25 07:01:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

chan_sip: Fix buffer overrun in sip_sipredirect.

Browse Source 
sip_sipredirect uses sscanf to copy up to 256 characters to a stacked buffer
of 256 characters.  This patch reduces the copy to 255 characters to leave
room for the string null terminator.

ASTERISK-25722 #close

Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab
This commit is contained in:
Corey Farrell
2016-01-25 12:03:21 -05:00
parent 8c75371589
commit 830f8933c2
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
channels/chan_sip.c
View File

@@ -33012,8 +33012,8 @@ static int sip_sipredirect(struct sip_pvt *p, const char *dest)
memset(ldomain, 0, sizeof(ldomain)); memset(ldomain, 0, sizeof(ldomain));
local_to_header++; local_to_header++;
/* This is okey because lhost and lport are as big as tmp */ /* Will copy no more than 255 chars plus null terminator. */
sscanf(local_to_header, "%256[^<>; ]", ldomain); sscanf(local_to_header, "%255[^<>; ]", ldomain);
if (ast_strlen_zero(ldomain)) { if (ast_strlen_zero(ldomain)) {
ast_log(LOG_ERROR, "Can't find the host address\n"); ast_log(LOG_ERROR, "Can't find the host address\n");
return 0; return 0;