Merged revisions 40057 via svnmerge from
authorKevin P. Fleming <kpfleming@digium.com>
Wed, 16 Aug 2006 18:58:43 +0000 (18:58 +0000)
committerKevin P. Fleming <kpfleming@digium.com>
Wed, 16 Aug 2006 18:58:43 +0000 (18:58 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.2

........
r40057 | kpfleming | 2006-08-16 13:57:44 -0500 (Wed, 16 Aug 2006) | 2 lines

don't allow AUEP responses to overflow the stack during a string copy (reported by Mu Security)

........

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@40058 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_mgcp.c

index 07da3a7..434d2ec 100644 (file)
@@ -2460,12 +2460,14 @@ static void handle_response(struct mgcp_endpoint *p, struct mgcp_subchannel *sub
                                                if (strncasecmp(v, p->sub->cxident, len) &&
                                                    strncasecmp(v, p->sub->next->cxident, len)) {
                                                        /* connection id not found. delete it */
-                                                       char cxident[80];
-                                                       memcpy(cxident, v, len);
-                                                       cxident[len] = '\0';
+                                                       char cxident[80] = "";
+
+                                                       if (len > (sizeof(cxident) - 1))
+                                                               len = sizeof(cxident) - 1;
+                                                       ast_copy_string(cxident, v, len);
                                                        if (option_verbose > 2) {
                                                                ast_verbose(VERBOSE_PREFIX_3 "Non existing connection id %s on %s@%s \n", 
-                                                                       cxident, p->name, gw->name);
+                                                                           cxident, p->name, gw->name);
                                                        }
                                                        transmit_connection_del_w_params(p, NULL, cxident);
                                                }