[asterisk-commits] kpfleming: branch 1.2 r40057 -
/branches/1.2/channels/chan_mgcp.c
asterisk-commits at lists.digium.com
asterisk-commits at lists.digium.com
Wed Aug 16 11:57:44 MST 2006
Author: kpfleming
Date: Wed Aug 16 13:57:44 2006
New Revision: 40057
URL: http://svn.digium.com/view/asterisk?rev=40057&view=rev
Log:
don't allow AUEP responses to overflow the stack during a string copy (reported by Mu Security)
Modified:
branches/1.2/channels/chan_mgcp.c
Modified: branches/1.2/channels/chan_mgcp.c
URL: http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_mgcp.c?rev=40057&r1=40056&r2=40057&view=diff
==============================================================================
--- branches/1.2/channels/chan_mgcp.c (original)
+++ branches/1.2/channels/chan_mgcp.c Wed Aug 16 13:57:44 2006
@@ -2478,12 +2478,14 @@
if (strncasecmp(v, p->sub->cxident, len) &&
strncasecmp(v, p->sub->next->cxident, len)) {
/* connection id not found. delete it */
- char cxident[80];
- memcpy(cxident, v, len);
- cxident[len] = '\0';
+ char cxident[80] = "";
+
+ if (len > (sizeof(cxident) - 1))
+ len = sizeof(cxident) - 1;
+ ast_copy_string(cxident, v, len);
if (option_verbose > 2) {
ast_verbose(VERBOSE_PREFIX_3 "Non existing connection id %s on %s@%s \n",
- cxident, p->name, gw->name);
+ cxident, p->name, gw->name);
}
transmit_connection_del_w_params(p, NULL, cxident);
}
More information about the asterisk-commits
mailing list