[asterisk-commits] mmichelson: trunk r111811 - /trunk/channels/chan_sip.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Fri Mar 28 15:03:16 CDT 2008 

Author: mmichelson
Date: Fri Mar 28 15:03:16 2008
New Revision: 111811

URL: http://svn.digium.com/view/asterisk?view=rev&rev=111811
Log:
This time the fix is proper for issue 12284. I have tested it thoroughly and found
that valgrind no longer complains and that calls do complete correctly.

The fix is along the same lines as before: Make sure the final null terminator gets copied
into the new sip_request's data pointer. Without it, parse_request will read and potentially
write past the end of the string, causing potential crashes.

(closes issue #12284...for real this time!)
reported by falves11


Modified:
    trunk/channels/chan_sip.c

Modified: trunk/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?view=diff&rev=111811&r1=111810&r2=111811
==============================================================================
--- trunk/channels/chan_sip.c (original)
+++ trunk/channels/chan_sip.c Fri Mar 28 15:03:16 2008
@@ -8305,18 +8305,24 @@
 	memcpy(dst, src, sizeof(*dst));
 	dst->data = dup;
 
-	if (!dst->data && !(dst->data = ast_str_create(src->data->used)))
+	/* All these + 1's are to account for the need to include the NULL terminator
+	 * Using typical string functions like ast_copy_string or ast_str_set will not
+	 * work in this case because the src's data string is riddled with \0's all over
+	 * the place and so a memcpy is the only way to accurately copy the string
+	 */
+
+	if (!dst->data && !(dst->data = ast_str_create(src->data->used + 1)))
 		return;
 	else if (dst->data->len < src->data->used)
-		ast_str_make_space(&dst->data, src->data->used);
+		ast_str_make_space(&dst->data, src->data->used + 1);
 		
-	memcpy(dst->data->str, src->data->str, src->data->used);
+	memcpy(dst->data->str, src->data->str, src->data->used + 1);
 	dst->data->used = src->data->used;
 	offset = ((void *)dst->data->str) - ((void *)src->data->str);
 	/* Now fix pointer arithmetic */
-	for (x=0; x < src->headers; x++)
+	for (x = 0; x < src->headers; x++)
 		dst->header[x] += offset;
-	for (x=0; x < src->lines; x++)
+	for (x = 0; x < src->lines; x++)
 		dst->line[x] += offset;
 	/* On some occasions this function is called without parse_request being called first so lets not create an invalid pointer */
 	if (src->rlPart1)

More information about the asterisk-commits mailing list