Module: kamailio Branch: master Commit: 2ebcb840b189d9a992923cdd32d80764987a5923 URL: https://github.com/kamailio/kamailio/commit/2ebcb840b189d9a992923cdd32d80764987a5923
Author: Carsten Bock <cars...@ng-voice.com> Committer: Carsten Bock <cars...@ng-voice.com> Date: 2015-08-28T12:11:25+02:00 utils: Fix buffer overflow; do not NULL-terminate HTTP result Fix buffer overflow in the `write_function` that takes the resulting data from libcurl. The function was trying to NULL terminate the string, but this could result in overwriting the buffer by one byte when size*nmemb == 1. This also caused some memory corruptions, reported on sr-dev. Reported by: Travis Cross <t...@traviscross.com> --- Modified: modules/utils/functions.c --- Diff: https://github.com/kamailio/kamailio/commit/2ebcb840b189d9a992923cdd32d80764987a5923.diff Patch: https://github.com/kamailio/kamailio/commit/2ebcb840b189d9a992923cdd32d80764987a5923.patch --- diff --git a/modules/utils/functions.c b/modules/utils/functions.c index 2d06403..e049056 100644 --- a/modules/utils/functions.c +++ b/modules/utils/functions.c @@ -2,7 +2,7 @@ * script functions of utils module * * Copyright (C) 2008 Juha Heinanen - * Copyright (C) 2013 Carsten Bock, ng-voice GmbH + * Copyright (C) 2013-2015 Carsten Bock, ng-voice GmbH * * This file is part of Kamailio, a free SIP server. * @@ -55,7 +55,7 @@ size_t write_function( void *ptr, size_t size, size_t nmemb, void *stream_ptr) http_res_stream_t *stream = (http_res_stream_t *) stream_ptr; stream->buf = (char *) pkg_realloc(stream->buf, stream->curr_size + - (size * nmemb) + 1); + (size * nmemb)); if (stream->buf == NULL) { LM_ERR("cannot allocate memory for stream\n"); @@ -64,15 +64,12 @@ size_t write_function( void *ptr, size_t size, size_t nmemb, void *stream_ptr) memcpy(&stream->buf[stream->pos], (char *) ptr, (size * nmemb)); - stream->curr_size += ((size * nmemb) + 1); + stream->curr_size += (size * nmemb); stream->pos += (size * nmemb); - stream->buf[stream->pos + 1] = '\0'; - return size * nmemb; } - /* * Performs http_query and saves possible result (first body line of reply) * to pvar. _______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev