res_pjsip_registrar.c: Prevent possible buffer overflow with domain aliases

We're appropriately sizing the id_domain_alias buffer, but then copying the data
into the id_domain one. We were then using the uninitialized id_domain_alias
buffer we just allocated.

This is ASTERISK~28641 adjacent, but significant enough to warrant its own
patch.

Change-Id: I81c38724d18deab8c6573153e2b99dbb6e2f33d9

diff --git a/res/res_pjsip_registrar.c b/res/res_pjsip_registrar.c
index 62b738a845ddab0baccd4d5c25faeae7594acb18..953be2070e332cff402866683c057864d280b94b 100644 (file)
--- a/res/res_pjsip_registrar.c
+++ b/res/res_pjsip_registrar.c
@@ -975,7 +975,7 @@ static char *find_aor_name(const char *username, const char *domain, const char
        if (alias) {
                char *id_domain_alias = ast_alloca(strlen(username) + strlen(alias->domain) + 2);
 
-               sprintf(id_domain, "%s@%s", username, alias->domain);
+               sprintf(id_domain_alias, "%s@%s", username, alias->domain);
                ao2_cleanup(alias);
 
                configured_aors = strcpy(aors_buf, aors);/* Safe */