res_pjsip_dtmf_info: NULL terminate the message body.
authorJoshua Colp <jcolp@digium.com>
Thu, 3 Mar 2016 14:26:10 +0000 (10:26 -0400)
committerJoshua Colp <jcolp@digium.com>
Thu, 3 Mar 2016 16:43:20 +0000 (10:43 -0600)
PJSIP does not ensure that when printing the message body the
buffer will be NULL terminated. This is problematic when searching
for the signal and duration values of the DTMF.

This change ensures the buffer is always NULL terminated.

Change-Id: I52653a1a60c93092d06af31a27408d569cc98968

res/res_pjsip_dtmf_info.c

index 78d529c..47ccd1a 100644 (file)
@@ -82,14 +82,13 @@ static char get_event(const char *c)
 static int dtmf_info_incoming_request(struct ast_sip_session *session, struct pjsip_rx_data *rdata)
 {
        pjsip_msg_body *body = rdata->msg_info.msg->body;
-       char buf[body ? body->len : 0];
+       char buf[body ? body->len + 1 : 1];
        char *cur = buf;
        char *line;
-
        char event = '\0';
        unsigned int duration = 100;
-
        char is_dtmf;
+       int res;
 
        if (!session->channel) {
                return 0;
@@ -107,7 +106,12 @@ static int dtmf_info_incoming_request(struct ast_sip_session *session, struct pj
                return 0;
        }
 
-       body->print_body(body, buf, body->len);
+       res = body->print_body(body, buf, body->len);
+       if (res < 0) {
+               send_response(session, rdata, 500);
+               return 0;
+       }
+       buf[res] = '\0';
 
        if (is_dtmf) {
                /* directly use what is in the message body */