From: Nickolay Shmyrev <nshmyrev@alphacephei.com>
Date: Thu, 2 Jul 2020 22:19:50 +0000 (+0200)
Subject: res_http_websocket: Avoid reading past end of string
X-Git-Tag: 13.36.0-rc1~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8f934b5451c4671dcdd5f02a1de4aa386944b53;p=thirdparty%2Fasterisk.git

res_http_websocket: Avoid reading past end of string

We read beyond the end of the buffer when copying the string out of the
buffer when we used ast_copy_string() because the original string was
not null terminated. Instead switch to ast_strndup() which does not
exhibit the same behavior.

ASTERISK-28975 #close

Change-Id: Ib4a75cffeb1eb8cf01136ef30306bd623e531a2a
---

diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
index 541c22f8a7..1f8a58d922 100644
--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
@@ -1455,11 +1455,10 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read_string)
 		}
 	}
 
-	if (!(*buf = ast_malloc(payload_len + 1))) {
+	if (!(*buf = ast_strndup(payload, payload_len))) {
 		return -1;
 	}
 
-	ast_copy_string(*buf, payload, payload_len + 1);
 	return payload_len + 1;
 }