Browse code

- fixed bad buffer size calculation in build_res_buf_from_sip_req (bug reported by daniel & nils)

Andrei Pelinescu-Onciul authored on 24/01/2003 15:23:05
Showing 1 changed files
... ...
@@ -643,8 +643,9 @@ char * build_res_buf_from_sip_req( unsigned int code, char *text,
643 643
 	char              backup;
644 644
 	char              *received_buf;
645 645
 	char              *rport_buf;
646
-	unsigned int               received_len;
647
-	unsigned int               rport_len;
646
+	unsigned int      received_len;
647
+	unsigned int      rport_len;
648
+	unsigned int      delete_len;
648 649
 	char              *warning;
649 650
 	unsigned int      warning_len;
650 651
 	int r;
... ...
@@ -654,6 +655,7 @@ char * build_res_buf_from_sip_req( unsigned int code, char *text,
654 655
 	received_len=0;
655 656
 	rport_buf=0;
656 657
 	rport_len=0;
658
+	delete_len=0;
657 659
 	buf=0;
658 660
 	/* make -Wall happy */
659 661
 	warning=0;
... ...
@@ -687,6 +689,7 @@ char * build_res_buf_from_sip_req( unsigned int code, char *text,
687 689
 							" rport_builder failed\n");
688 690
 			goto error01; /* free everything */
689 691
 		}
692
+		delete_len=msg->via1->rport->size+1; /* include ';' */
690 693
 	}
691 694
 
692 695
 	/*computes the lenght of the new response buffer*/
... ...
@@ -706,7 +709,7 @@ char * build_res_buf_from_sip_req( unsigned int code, char *text,
706 709
 					len+=new_tag_len+TOTAG_TOKEN_LEN/*";tag="*/;
707 710
 			}
708 711
 		} else if (hdr->type==HDR_VIA) {
709
-				if (hdr==msg->h_via1) len += received_len+rport_len-RPORT_LEN;
712
+				if (hdr==msg->h_via1) len += received_len+rport_len;
710 713
 		} else if (hdr->type==HDR_RECORDROUTE) {
711 714
 				/* RR only for 1xx and 2xx replies */
712 715
 				if (code<180 || code>=300) continue;
... ...
@@ -717,6 +720,7 @@ char * build_res_buf_from_sip_req( unsigned int code, char *text,
717 720
 		}
718 721
 		len += ((hdr->body.s+hdr->body.len )-hdr->name.s )+CRLF_LEN;
719 722
 	}
723
+	len-=delete_len;
720 724
 	/*lumps length*/
721 725
 	for(lump=msg->reply_lump;lump;lump=lump->next)
722 726
 		len += lump->text.len;