res_http_websocket: Avoid reading past end of string

We read beyond the end of the buffer when copying the string out of the
buffer when we used ast_copy_string() because the original string was
not null terminated. Instead switch to ast_strndup() which does not
exhibit the same behavior.

ASTERISK-28975 #close

Change-Id: Ib4a75cffeb1eb8cf01136ef30306bd623e531a2a

diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
index b5d50e6b9649ea88f4d7065f004339ca5b24235e..d6cd359946cf3c5fa2482c711e8c63b530ce1b8c 100644 (file)
--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
@@ -1473,11 +1473,10 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read_string)
                }
        }
 
-       if (!(*buf = ast_malloc(payload_len + 1))) {
+       if (!(*buf = ast_strndup(payload, payload_len))) {
                return -1;
        }
 
-       ast_copy_string(*buf, payload, payload_len + 1);
        return payload_len + 1;
 }