From: Richard Mudgett <rmudgett@digium.com>
Date: Fri, 21 Aug 2015 20:26:30 +0000 (-0500)
Subject: res_pjsip_pubsub.c: Fix one byte buffer overrun error.
X-Git-Tag: 13.6.0-rc1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b3ed52239b24546b1ee12156dadccb70db7403e;p=thirdparty%2Fasterisk.git

res_pjsip_pubsub.c: Fix one byte buffer overrun error.

ast_sip_pubsub_register_body_generator() did not account for the null
terminator set by sprintf() in the allocated output buffer.

Change-Id: I388688a132e479bca6ad1c19275eae0070969ae2
---

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index f8187897a0..c60151e3c3 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -2995,16 +2995,13 @@ int ast_sip_pubsub_register_body_generator(struct ast_sip_pubsub_body_generator
 	AST_LIST_INSERT_HEAD(&body_generators, generator, list);
 	AST_RWLIST_UNLOCK(&body_generators);
 
-	/* Lengths of type and subtype plus space for a slash. pj_str_t is not
-	 * null-terminated, so there is no need to allocate for the extra null
-	 * byte
-	 */
+	/* Lengths of type and subtype plus a slash. */
 	accept_len = strlen(generator->type) + strlen(generator->subtype) + 1;
 
-	accept.ptr = ast_alloca(accept_len);
-	accept.slen = accept_len;
-	/* Safe use of sprintf */
-	sprintf(accept.ptr, "%s/%s", generator->type, generator->subtype);
+	/* Add room for null terminator that sprintf() will set. */
+	pj_strset(&accept, ast_alloca(accept_len + 1), accept_len);
+	sprintf((char *) pj_strbuf(&accept), "%s/%s", generator->type, generator->subtype);/* Safe */
+
 	pjsip_endpt_add_capability(ast_sip_get_pjsip_endpoint(), &pubsub_module,
 			PJSIP_H_ACCEPT, NULL, 1, &accept);