Browse code

check the '=' sign in the sdp line to be on the safe side

Miklos Tirpak authored on 23/05/2008 10:13:46
Showing 1 changed files
... ...
@@ -496,6 +496,7 @@ int select_msg_body(str* res, select_t* s, struct sip_msg* msg)
496 496
 	return 0;	
497 497
 }
498 498
 
499
+/* returns the sdp part of the message body */
499 500
 int select_msg_body_sdp(str* res, select_t* sel, struct sip_msg* msg)
500 501
 {
501 502
 	/* try to get the body part with application/sdp */
... ...
@@ -508,6 +509,7 @@ int select_msg_body_sdp(str* res, select_t* sel, struct sip_msg* msg)
508 508
 		return -1;
509 509
 }
510 510
 
511
+/* returns the value of the requested SDP line */
511 512
 int select_sdp_line(str* res, select_t* sel, struct sip_msg* msg)
512 513
 {
513 514
 	int	len;
... ...
@@ -547,7 +549,13 @@ int select_sdp_line(str* res, select_t* sel, struct sip_msg* msg)
547 547
 	while (buf < buf_end) {
548 548
 		if (*buf == line) {
549 549
 			/* the requested SDP line is found, return its value */
550
-			buf += 2;
550
+			buf++;
551
+			if ((buf >= buf_end) || (*buf != '=')) {
552
+				ERR("wrong SDP line format\n");
553
+				return -1;
554
+			}
555
+			buf++;
556
+
551 557
 			line_end = buf;
552 558
 			while ((line_end < buf_end) && (*line_end != '\n'))
553 559
 				line_end++;