Browse code

core: fixed segmentation fault when handling multipart bodies

Function check_boundaries() in msg_translator.c not handling property the length of the buffers when it needs to repair the boundary, getting a negative lenght and causing a segmentation fault.

Nacho Garcia Segovia authored on 07/12/2018 10:19:52
Showing 1 changed files
... ...
@@ -1838,10 +1838,10 @@ int check_boundaries(struct sip_msg *msg, struct dest_info *send_info)
1838 1838
 			tmp.len = get_line(lb_t->s);
1839 1839
 			if(tmp.len!=b.len || strncmp(b.s, tmp.s, b.len)!=0)
1840 1840
 			{
1841
-				LM_DBG("malformed bondary in the middle\n");
1841
+				LM_DBG("malformed boundary in the middle\n");
1842 1842
 				memcpy(pb, b.s, b.len); body.len = body.len + b.len;
1843 1843
 				pb = pb + b.len;
1844
-				t = lb_t->s.s - (lb_t->s.s + tmp.len);
1844
+				t = lb_t->next->s.s - (lb_t->s.s + tmp.len);
1845 1845
 				memcpy(pb, lb_t->s.s+tmp.len, t); pb = pb + t;
1846 1846
 				/*LM_DBG("new chunk[%d][%.*s]\n", t, t, pb-t);*/
1847 1847
 			}