The MGCP message isn't always NUL-terminated when arriving at
mgcp_handle_message(). This may lead to undefined results.
This patch ensures that the message text is NUL-terminated by
setting *msg->tail to '\0' in mgcp_handle_message().
Addresses:
<000b> mgcp_protocol.c:642 Unhandled option: 'r'/114 on 0x3
<000b> mgcp_protocol.c:593 Unhandled SDP option: '='/61 on 0x3
<000b> mgcp_protocol.c:871 Unhandled option: '.'/46 on 0x2
Sponsored-by: On-Waves ehf
---
openbsc/src/libmgcp/mgcp_protocol.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/openbsc/src/libmgcp/mgcp_protocol.c
b/openbsc/src/libmgcp/mgcp_protocol.c
index d4a23a7..44c93f7 100644
--- a/openbsc/src/libmgcp/mgcp_protocol.c
+++ b/openbsc/src/libmgcp/mgcp_protocol.c
@@ -262,6 +262,18 @@ struct msgb *mgcp_handle_message(struct mgcp_config *cfg,
struct msgb *msg)
struct msgb *resp = NULL;
char *data;
+ /* Ensure that the msg->l2h is NULL terminated. */
+ if (msgb_tailroom(msg) > 0)
+ *msg->tail = '\0';
+ else if (*(msg->tail-1) == '\r' || *(msg->tail-1) == '\n')
+ *(msg->tail - 1) = '\0';
+ else {
+ LOGP(DMGCP, LOGL_ERROR, "Cannot NUL terminate MGCP message: "
+ "Length: %d, Buffer size: %d\n",
+ msgb_l2len(msg), msg->data_len);
+ return NULL;
+ }
+
if (msgb_l2len(msg) < 4) {
LOGP(DMGCP, LOGL_ERROR, "msg too short: %d\n", msg->len);
return NULL;
@@ -278,7 +290,6 @@ struct msgb *mgcp_handle_message(struct mgcp_config *cfg,
struct msgb *msg)
/*
* Check for a duplicate message and respond.
- * FIXME: Verify that the msg->l3h is NULL terminated.
*/
memset(&pdata, 0, sizeof(pdata));
pdata.cfg = cfg;
--
1.7.9.5
