Buffer overflow in switch_channel_expand_variables_check and switch_event_expand_head...

author Thomas Weber <thomas.wt.weber@atos.net>

Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)

committer Thomas Weber <thomas.wt.weber@atos.net>

Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
author Thomas Weber <thomas.wt.weber@atos.net>
Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
committer Thomas Weber <thomas.wt.weber@atos.net>
Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
diff --git a/src/switch_channel.c b/src/switch_channel.c

index b9aa1d71fc47a935edad074c2e83ccbdc96a7393..68130b230ec8a2481b991dc991ac2593f3a2eb22 100644 (file)
--- a/src/switch_channel.c
+++ b/src/switch_channel.c
@@ -3825,6 +3825,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                                         p++;
                                         continue;
                                 } else if (*(p + 1) == '\\') {
+                                       if (len + 1 >= olen) {
+                                               resize(1);
+                                       }
+
                                         *c++ = *p++;
                                         len++;
                                         continue;
@@ -3850,6 +3854,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                         }
  
                         if (nv) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                                 nv = 0;
@@ -4045,11 +4053,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                                 vname = NULL;
                                 br = 0;
                         }
-                       if (len + 1 >= olen) {
-                               resize(1);
-                       }
  
                         if (sp) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = ' ';
                                 sp = 0;
                                 len++;
@@ -4058,6 +4067,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                         if (*p == '$') {
                                 p--;
                         } else {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                         }
diff --git a/src/switch_event.c b/src/switch_event.c

index fea4d0691fe4ecb3b7c08c758daaffc611a736dd..ff0d272fc4fc0fc273cd55cff1647b89113f48e4 100644 (file)
--- a/src/switch_event.c
+++ b/src/switch_event.c
@@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                                         p++;
                                         continue;
                                 } else if (*(p + 1) == '\\') {
+                                       if (len + 1 >= olen) {
+                                               resize(1);
+                                       }
+
                                         *c++ = *p++;
                                         len++;
                                         continue;
@@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                         }
  
                         if (nv) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                                 nv = 0;
@@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                                 vtype = 0;
                                 br = 0;
                         }
-                       if (len + 1 >= olen) {
-                               resize(1);
-                       }
  
                         if (sp) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = ' ';
                                 sp = 0;
                                 len++;
@@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                         if (*p == '$') {
                                 p--;
                         } else {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                         }
author	Thomas Weber <thomas.wt.weber@atos.net>
	Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
committer	Thomas Weber <thomas.wt.weber@atos.net>
	Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
src/switch_channel.c		patch \| blob \| blame \| history
src/switch_event.c		patch \| blob \| blame \| history