Buffer overflow in switch_channel_expand_variables_check and switch_event_expand_head...

author Thomas Weber <thomas.wt.weber@atos.net>

Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)

committer Anthony Minessale <anthm@freeswitch.org>

Tue, 19 Apr 2016 16:44:35 +0000 (11:44 -0500)
author Thomas Weber <thomas.wt.weber@atos.net>
Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
committer Anthony Minessale <anthm@freeswitch.org>
Tue, 19 Apr 2016 16:44:35 +0000 (11:44 -0500)
diff --git a/src/switch_channel.c b/src/switch_channel.c

index 02f391a7a32b4b55819adad0dd31766bc43d7b16..9a1ce6d23b0485fe626b0c9dff8851b0887e4ae7 100644 (file)
--- a/src/switch_channel.c
+++ b/src/switch_channel.c
@@ -3883,6 +3883,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                                         p++;
                                         continue;
                                 } else if (*(p + 1) == '\\') {
+                                       if (len + 1 >= olen) {
+                                               resize(1);
+                                       }
+
                                         *c++ = *p++;
                                         len++;
                                         continue;
@@ -3908,6 +3912,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                         }
  
                         if (nv) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                                 nv = 0;
@@ -4103,11 +4111,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                                 vname = NULL;
                                 br = 0;
                         }
-                       if (len + 1 >= olen) {
-                               resize(1);
-                       }
  
                         if (sp) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = ' ';
                                 sp = 0;
                                 len++;
@@ -4116,6 +4125,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
                         if (*p == '$') {
                                 p--;
                         } else {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                         }
diff --git a/src/switch_event.c b/src/switch_event.c

index cf1a2b922a721ad145b3847818549059ad3a1097..58d5b81735adfd2d4d5e8b50c564b275046d4879 100644 (file)
--- a/src/switch_event.c
+++ b/src/switch_event.c
@@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                                         p++;
                                         continue;
                                 } else if (*(p + 1) == '\\') {
+                                       if (len + 1 >= olen) {
+                                               resize(1);
+                                       }
+
                                         *c++ = *p++;
                                         len++;
                                         continue;
@@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                         }
  
                         if (nv) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                                 nv = 0;
@@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                                 vtype = 0;
                                 br = 0;
                         }
-                       if (len + 1 >= olen) {
-                               resize(1);
-                       }
  
                         if (sp) {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = ' ';
                                 sp = 0;
                                 len++;
@@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
                         if (*p == '$') {
                                 p--;
                         } else {
+                               if (len + 1 >= olen) {
+                                       resize(1);
+                               }
+
                                 *c++ = *p;
                                 len++;
                         }
author	Thomas Weber <thomas.wt.weber@atos.net>
	Tue, 19 Jan 2016 13:50:38 +0000 (14:50 +0100)
committer	Anthony Minessale <anthm@freeswitch.org>
	Tue, 19 Apr 2016 16:44:35 +0000 (11:44 -0500)
src/switch_channel.c		patch \| blob \| blame \| history
src/switch_event.c		patch \| blob \| blame \| history