Browse code

check the '=' sign in the sdp line to be on the safe side

Miklos Tirpak authored on 23/05/2008 10:13:46
Showing 1 changed files
... ...
@@ -496,6 +496,7 @@ int select_msg_body(str* res, select_t* s, struct sip_msg* msg)
496 496
 	return 0;	
497 497
 }
498 498
 
499
+/* returns the sdp part of the message body */
499 500
 int select_msg_body_sdp(str* res, select_t* sel, struct sip_msg* msg)
500 501
 {
501 502
 	/* try to get the body part with application/sdp */
... ...
@@ -508,6 +509,7 @@ int select_msg_body_sdp(str* res, select_t* sel, struct sip_msg* msg)
508 509
 		return -1;
509 510
 }
510 511
 
512
+/* returns the value of the requested SDP line */
511 513
 int select_sdp_line(str* res, select_t* sel, struct sip_msg* msg)
512 514
 {
513 515
 	int	len;
... ...
@@ -547,7 +549,13 @@ int select_sdp_line(str* res, select_t* sel, struct sip_msg* msg)
547 549
 	while (buf < buf_end) {
548 550
 		if (*buf == line) {
549 551
 			/* the requested SDP line is found, return its value */
550
-			buf += 2;
552
+			buf++;
553
+			if ((buf >= buf_end) || (*buf != '=')) {
554
+				ERR("wrong SDP line format\n");
555
+				return -1;
556
+			}
557
+			buf++;
558
+
551 559
 			line_end = buf;
552 560
 			while ((line_end < buf_end) && (*line_end != '\n'))
553 561
 				line_end++;