mirror of
https://github.com/asterisk/asterisk.git
synced 2025-09-16 09:52:24 +00:00
076423aa18
ast_websocket_read() receives data into a fixed 64K buffer then continually reallocates a final buffer that, after all continuation frames have been received, is the exact length of the data received and returns that to the caller. process_text_message() in chan_websocket was attempting to set a NULL terminator on the received payload assuming the payload buffer it received was the large 64K buffer. The assumption was incorrect so when it tried to set a NULL terminator on the payload, it could, depending on the state of the heap at the time, cause heap corruption. process_text_message() now allocates its own payload_len + 1 sized buffer, copies the payload received from ast_websocket_read() into it then NULL terminates it prevent the possibility of the overrun and corruption. Resolves: #1384