Browse code

sdpops: safety check when location a= line not to exceed end of message

Daniel-Constantin Mierla authored on 23/02/2015 13:29:46
Showing 1 changed files
... ...
@@ -159,12 +159,17 @@ static int mod_init(void)
159 159
 int sdp_locate_line(sip_msg_t* msg, char *pos, str *aline)
160 160
 {
161 161
 	char *p;
162
+	char *bend;
163
+
162 164
 	p = pos;
163 165
 	while(*p!='\n') p--;
164 166
 	aline->s = p + 1;
165 167
 	p = pos;
166
-	while(*p!='\n') p++;
168
+	bend = msg->buf+msg->len;
169
+	while(*p!='\n' && p<bend) p++;
167 170
 	aline->len = p - aline->s + 1;
171
+	if(unlikely(p==bend)) aline->len--;
172
+
168 173
 	return 0;
169 174
 }
170 175