[Asterisk-code-review] chan sip: Fix buffer overrun in sip sipredirect. (asterisk[11])

Joshua Colp asteriskteam at digium.com
Mon Jan 25 11:48:38 CST 2016


Joshua Colp has submitted this change and it was merged.

Change subject: chan_sip: Fix buffer overrun in sip_sipredirect.
......................................................................


chan_sip: Fix buffer overrun in sip_sipredirect.

sip_sipredirect uses sscanf to copy up to 256 characters to a stacked buffer
of 256 characters.  This patch reduces the copy to 255 characters to leave
room for the string null terminator.

ASTERISK-25722 #close

Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab
---
M channels/chan_sip.c
1 file changed, 2 insertions(+), 2 deletions(-)

Approvals:
  Richard Mudgett: Looks good to me, but someone else must approve
  Anonymous Coward #1000019: Verified
  Joshua Colp: Looks good to me, approved



diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index bd2f398..5436ab3 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -33395,8 +33395,8 @@
 
 			memset(ldomain, 0, sizeof(ldomain));
 			local_to_header++;
-			/* This is okey because lhost and lport are as big as tmp */
-			sscanf(local_to_header, "%256[^<>; ]", ldomain);
+			/* Will copy no more than 255 chars plus null terminator. */
+			sscanf(local_to_header, "%255[^<>; ]", ldomain);
 			if (ast_strlen_zero(ldomain)) {
 				ast_log(LOG_ERROR, "Can't find the host address\n");
 				return 0;

-- 
To view, visit https://gerrit.asterisk.org/2080
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 11
Gerrit-Owner: Corey Farrell <git at cfware.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>



More information about the asterisk-code-review mailing list