git.ipfire.org Git - thirdparty/asterisk.git/commit

author	Richard Mudgett <rmudgett@digium.com>
	Thu, 2 Jul 2015 19:51:29 +0000 (14:51 -0500)
committer	Mark Michelson <mmichelson@digium.com>
	Tue, 1 Sep 2015 15:29:06 +0000 (10:29 -0500)
commit	1c89230e2a0509bad7de0c4f2146f8ebf7772802
tree	c9bac3ed7c6c7317bc81c875375f533265f73eab	tree
parent	2f2c35e91d84e1b688c0357f7aea2b215f6c6f5f	commit \| diff

PJSIP XML, XPIDF: Fix buffer size overwrite memory corruption error.

When res_pjsip body generator modules were generating XML or XPIDF
response bodies, there was a chance that the generated body would be the
exact size of the supplied buffer. Adding the nul string terminator would
then write beyond the end of the buffer and potentially corrupt memory.

* Fix MALLOC_DEBUG high fence violations caused by adding a nul string
terminator on the end of a buffer for XML or XPIDF response bodies.

* Made calls to pj_xml_print() safer if the XML prolog is requested. Due
to a bug in pjproject, the return value could be -1 _or_
AST_PJSIP_XML_PROLOG_LEN if the supplied buffer is not large enough.

* Updated the doxygen comment of AST_PJSIP_XML_PROLOG_LEN to describe the
return value of pj_xml_print() when the supplied buffer is not large
enough.

ASTERISK-25168
Reported by: Carl Fortin

Change-Id: Id70e1d373a6a2b2bd9e678b5cbc5e55b308981de

include/asterisk/res_pjsip_presence_xml.h		diff \| blob \| blame \| history
res/res_pjsip_dialog_info_body_generator.c		diff \| blob \| blame \| history
res/res_pjsip_pidf_body_generator.c		diff \| blob \| blame \| history
res/res_pjsip_pubsub.c		diff \| blob \| blame \| history
res/res_pjsip_xpidf_body_generator.c		diff \| blob \| blame \| history