[sr-dev] git:master:25f21809: textops: Fix 'offset exceeds message size' crash.

[codyherzog]

Module: kamailio
Branch: master
Commit: 25f2180999dafb807068313c4a329a163dd99f92
URL: 
https://github.com/kamailio/kamailio/commit/25f2180999dafb807068313c4a329a163dd99f92

Author: codyherzog <cher...@intouchhealth.com>
Committer: codyherzog <cher...@intouchhealth.com>
Date: 2017-08-07T12:46:27-07:00

textops: Fix 'offset exceeds message size' crash.

Ensure that buffer is null terminated when subst_run() function is used.

---

Modified: src/modules/textops/textops.c

---

Diff:  
https://github.com/kamailio/kamailio/commit/25f2180999dafb807068313c4a329a163dd99f92.diff
Patch: 
https://github.com/kamailio/kamailio/commit/25f2180999dafb807068313c4a329a163dd99f92.patch

---

diff --git a/src/modules/textops/textops.c b/src/modules/textops/textops.c
index 5048fbae5d..655f638154 100644
--- a/src/modules/textops/textops.c
+++ b/src/modules/textops/textops.c
@@ -682,12 +682,19 @@ static int subst_helper_f(sip_msg_t* msg, struct 
subst_expr* se)
        int off;
        int ret;
        int nmatches;
+       char c;
 
        begin=get_header(msg);  /* start after first line to avoid replacing
                                                        * the uri */
        off=begin-msg->buf;
        ret=-1;
-       if ((lst=subst_run(se, begin, msg, &nmatches))==0)
+
+       c = msg->buf[msg->len];
+       msg->buf[msg->len] = '\0';
+       lst=subst_run(se, begin, msg, &nmatches);
+       msg->buf[msg->len] = c;
+
+       if (lst==0)
                goto error; /* not found */
        for (rpl=lst; rpl; rpl=rpl->next){
                LM_DBG("%s: replacing at offset %d [%.*s] with [%.*s]\n",
@@ -826,6 +833,7 @@ static int subst_body_helper_f(struct sip_msg* msg, struct 
subst_expr* se)
        int ret;
        int nmatches;
        str body;
+       char c;
 
        body.s = get_body(msg);
        if (body.s==0) {
@@ -842,7 +850,13 @@ static int subst_body_helper_f(struct sip_msg* msg, struct 
subst_expr* se)
 
        off=begin-msg->buf;
        ret=-1;
-       if ((lst=subst_run(se, begin, msg, &nmatches))==0)
+
+       c = body.s[body.len];
+       body.s[body.len] = '\0';
+       lst=subst_run(se, begin, msg, &nmatches);
+       body.s[body.len] = c;
+
+       if (lst==0)
                goto error; /* not found */
        for (rpl=lst; rpl; rpl=rpl->next){
                LM_DBG("%s replacing at offset %d [%.*s] with [%.*s]\n",


_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev