mod_skinny: fix potential overflow CID: 1060947

diff --git a/src/mod/endpoints/mod_skinny/mod_skinny.h b/src/mod/endpoints/mod_skinny/mod_skinny.h
index e3571dfe950d968422ed6a664ab30dca77d529b3..425710dae470c0f0e41ef96aacce401c2240932b 100644 (file)
--- a/src/mod/endpoints/mod_skinny/mod_skinny.h
+++ b/src/mod/endpoints/mod_skinny/mod_skinny.h
@@ -336,6 +336,8 @@ switch_endpoint_interface_t *skinny_get_endpoint_interface();
 #define skinny_textid2raw(label) (label > 0 ? switch_mprintf("\200%c", label) : switch_mprintf(""))
 char *skinny_format_message(const char *str);
 
+#define SKINNY_MAX_STRING 16384
+
 #endif /* _MOD_SKINNY_H */
 
 /* For Emacs:

diff --git a/src/mod/endpoints/mod_skinny/skinny_server.c b/src/mod/endpoints/mod_skinny/skinny_server.c
index eae49543513aebdafc330e8fd86a1e32cbcb9c14..c1be92c3c4ce147e7b4b591b8e686bae2f177b8c 100644 (file)
--- a/src/mod/endpoints/mod_skinny/skinny_server.c
+++ b/src/mod/endpoints/mod_skinny/skinny_server.c
@@ -1802,6 +1802,12 @@ switch_status_t skinny_handle_capabilities_response(listener_t *listener, skinny
        }
        i = 0;
        pos = 0;
+
+       if ( string_len > SKINNY_MAX_STRING ) {
+               skinny_log_l_msg(listener, SWITCH_LOG_ERROR, "Codec string list too long.\n");
+               return SWITCH_STATUS_FALSE;
+       }
+
        codec_string = calloc(string_len+1,1);
        if ( !codec_string ) {
                skinny_log_l_msg(listener, SWITCH_LOG_ERROR, "Unable to allocate memory for codec string.\n");