Browse code

- dst_uri buffer overflow check, discovered in openser (the fix is slightly different due to slight changes in the append_branch function) Note: this is not such a big problem as it might sound, the only module using append_branch() with a non zero dst_uri is registrar and in this case it sets dst_uri to the received address which is always < 1024 (so it's always safe).

Andrei Pelinescu-Onciul authored on 15/12/2006 09:09:11
Showing 1 changed files
... ...
@@ -157,6 +157,12 @@ int append_branch(struct sip_msg* msg, char* uri, int uri_len, char* dst_uri, in
157 157
 		    uri_len, uri);
158 158
 		return -1;
159 159
 	}
160
+	
161
+	if (dst_uri_len > MAX_URI_SIZE - 1) {
162
+		LOG(L_ERR, "ERROR: append_branch: too long dst_uri: %.*s\n",
163
+		    dst_uri_len, ZSW(dst_uri));
164
+		return -1;
165
+	}
160 166
 
161 167
 	     /* if not parameterized, take current uri */
162 168
 	if (uri == 0) {