chan_sip: Fix buffer overrun in sip_sipredirect.

sip_sipredirect uses sscanf to copy up to 256 characters to a stacked buffer
of 256 characters.  This patch reduces the copy to 255 characters to leave
room for the string null terminator.

ASTERISK-25722 #close

Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index bd2f3982b70de3d88c4936997cd6758f024f7be9..5436ab3f4c708bf802a43c73b58a7299023952c7 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -33395,8 +33395,8 @@ static int sip_sipredirect(struct sip_pvt *p, const char *dest)
 
                        memset(ldomain, 0, sizeof(ldomain));
                        local_to_header++;
-                       /* This is okey because lhost and lport are as big as tmp */
-                       sscanf(local_to_header, "%256[^<>; ]", ldomain);
+                       /* Will copy no more than 255 chars plus null terminator. */
+                       sscanf(local_to_header, "%255[^<>; ]", ldomain);
                        if (ast_strlen_zero(ldomain)) {
                                ast_log(LOG_ERROR, "Can't find the host address\n");
                                return 0;