From: Walter Doekes <walter+github@wjd.nu>
Date: Tue, 25 Oct 2016 09:09:59 +0000 (+0200)
Subject: chan_iax2: Fix use of uninited memory in try_transfer.
X-Git-Tag: 11.25.0-rc1~1^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=304f3278b5f292f1db432edbbabd0d539303fa08;p=thirdparty%2Fasterisk.git

chan_iax2: Fix use of uninited memory in try_transfer.

- if newip contained the right stack garbage, it would overwrite the
  correct IP
- memmove was unnecessary

Reported by: saltsa (on IRC)

Change-Id: I9375589f832b08cdff5b05ba975f3c62eef80619
---

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index ac6eb03ed9..486574244c 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -8505,24 +8505,17 @@ static int iax2_do_register_s(const void *data)
 
 static int try_transfer(struct chan_iax2_pvt *pvt, struct iax_ies *ies)
 {
-	int newcall = 0;
-	char newip[256];
 	struct iax_ie_data ied;
-	struct sockaddr_in new = { 0, };
 
 	memset(&ied, 0, sizeof(ied));
-	if (ies->apparent_addr)
-		memmove(&new, ies->apparent_addr, sizeof(new));
-	if (ies->callno)
-		newcall = ies->callno;
-	if (!newcall || !new.sin_addr.s_addr || !new.sin_port) {
+	if (!ies->callno || !ies->apparent_addr ||
+			!ies->apparent_addr->sin_addr.s_addr ||
+			!ies->apparent_addr->sin_port) {
 		ast_log(LOG_WARNING, "Invalid transfer request\n");
 		return -1;
 	}
-	pvt->transfercallno = newcall;
-	memcpy(&pvt->transfer, &new, sizeof(pvt->transfer));
-	inet_aton(newip, &pvt->transfer.sin_addr);
-	pvt->transfer.sin_family = AF_INET;
+	pvt->transfercallno = ies->callno;
+	memcpy(&pvt->transfer, ies->apparent_addr, sizeof(pvt->transfer));
 	pvt->transferid = ies->transferid;
 	/* only store by transfercallno if this is a new transfer,
 	 * just in case we get a duplicate TXREQ */