[asterisk-commits] tilghman: branch 1.4 r169364 - in /branches/1.4: apps/ main/

[SVN commits to the Asterisk project]

Author: tilghman
Date: Mon Jan 19 13:49:25 2009
New Revision: 169364

URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=169364
Log:
Truncate userevents at the end of a line, when the command exceeds the buffer.
(closes issue #14278)
 Reported by: fnordian

Modified:
    branches/1.4/apps/app_userevent.c
    branches/1.4/main/manager.c

Modified: branches/1.4/apps/app_userevent.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.4/apps/app_userevent.c?view=diff&rev=169364&r1=169363&r2=169364
==============================================================================
--- branches/1.4/apps/app_userevent.c (original)
+++ branches/1.4/apps/app_userevent.c Mon Jan 19 13:49:25 2009
@@ -59,7 +59,7 @@
 {
 	struct ast_module_user *u;
 	char *parse, buf[2048] = "";
-	int x, buflen = 0;
+	int x, buflen = 0, xlen;
 	AST_DECLARE_APP_ARGS(args,
 		AST_APP_ARG(eventname);
 		AST_APP_ARG(extra)[100];
@@ -77,8 +77,13 @@
 	AST_STANDARD_APP_ARGS(args, parse);
 
 	for (x = 0; x < args.argc - 1; x++) {
-		ast_copy_string(buf + buflen, args.extra[x], sizeof(buf) - buflen - 2);
-		buflen += strlen(args.extra[x]);
+		/* Stop once a header comes up that exceeds our buffer. */
+		if (sizeof(buf) <= buflen + (xlen = strlen(args.extra[x])) + 3) {
+			ast_log(LOG_WARNING, "UserEvent exceeds our buffer length!  Truncating.\n");
+			break;
+		}
+		ast_copy_string(buf + buflen, args.extra[x], sizeof(buf) - buflen - 3);
+		buflen += xlen;
 		ast_copy_string(buf + buflen, "\r\n", 3);
 		buflen += 2;
 	}

Modified: branches/1.4/main/manager.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.4/main/manager.c?view=diff&rev=169364&r1=169363&r2=169364
==============================================================================
--- branches/1.4/main/manager.c (original)
+++ branches/1.4/main/manager.c Mon Jan 19 13:49:25 2009
@@ -2142,11 +2142,15 @@
 {
 	const char *event = astman_get_header(m, "UserEvent");
 	char body[2048] = "";
-	int x, bodylen = 0;
+	int x, bodylen = 0, xlen;
 	for (x = 0; x < m->hdrcount; x++) {
 		if (strncasecmp("UserEvent:", m->headers[x], strlen("UserEvent:"))) {
+			if (sizeof(body) < bodylen + (xlen = strlen(m->headers[x])) + 3) {
+				ast_log(LOG_WARNING, "UserEvent exceeds our buffer length.  Truncating.\n");
+				break;
+			}
 			ast_copy_string(body + bodylen, m->headers[x], sizeof(body) - bodylen - 3);
-			bodylen += strlen(m->headers[x]);
+			bodylen += xlen;
 			ast_copy_string(body + bodylen, "\r\n", 3);
 			bodylen += 2;
 		}