[sr-dev] git:master:96d0b4ec: presence_xml: safety checks for pkg alloc and buffer size

Mon, 04 Jan 2016 10:20:32 -0800 

Module: kamailio
Branch: master
Commit: 96d0b4ecff3cd680861bbc2ac02151a77cb05cae
URL: 
https://github.com/kamailio/kamailio/commit/96d0b4ecff3cd680861bbc2ac02151a77cb05cae

Author: Daniel-Constantin Mierla <[email protected]>
Committer: Daniel-Constantin Mierla <[email protected]>
Date: 2016-01-04T19:19:35+01:00

presence_xml: safety checks for pkg alloc and buffer size

---

Modified: modules/presence_xml/notify_body.c

---

Diff:  
https://github.com/kamailio/kamailio/commit/96d0b4ecff3cd680861bbc2ac02151a77cb05cae.diff
Patch: 
https://github.com/kamailio/kamailio/commit/96d0b4ecff3cd680861bbc2ac02151a77cb05cae.patch

---

diff --git a/modules/presence_xml/notify_body.c 
b/modules/presence_xml/notify_body.c
index f10305c..bba3687 100644
--- a/modules/presence_xml/notify_body.c
+++ b/modules/presence_xml/notify_body.c
@@ -78,12 +78,31 @@ str* pres_agg_nbody_empty(str* pres_user, str* pres_domain)
 {
        str* n_body= NULL;
 
+       str* body_array;
+       char* body;
+
        LM_DBG("creating empty presence for [pres_user]=%.*s [pres_domain]= 
%.*s\n",
                        pres_user->len, pres_user->s, pres_domain->len, 
pres_domain->s);
 
-       str* body_array = (str*)pkg_malloc(sizeof(str));
-       char* body = (char*)pkg_malloc(PRESENCE_EMPTY_BODY_SIZE);
-       sprintf(body, PRESENCE_EMPTY_BODY, pres_user->len, pres_user->s);
+       if(pres_user->len+sizeof(PRESENCE_EMPTY_BODY)
+                       >= PRESENCE_EMPTY_BODY_SIZE - 1) {
+               LM_ERR("insufficient buffer to add user (its len is: %d)\n",
+                               pres_user->len);
+               return NULL;
+       }
+       body_array = (str*)pkg_malloc(sizeof(str));
+       if(body_array==NULL) {
+               LM_ERR("no more pkg\n");
+               return NULL;
+       }
+
+       body = (char*)pkg_malloc(PRESENCE_EMPTY_BODY_SIZE);
+       if(body_array==NULL) {
+               LM_ERR("no more pkg\n");
+               pkg_free(body_array);
+               return NULL;
+       }
+       snprintf(body, PRESENCE_EMPTY_BODY_SIZE, PRESENCE_EMPTY_BODY, 
pres_user->len, pres_user->s);
        body_array->s = body;
        body_array->len = strlen(body);
 
@@ -91,11 +110,10 @@ str* pres_agg_nbody_empty(str* pres_user, str* pres_domain)
        n_body= agregate_xmls(pres_user, pres_domain, &body_array, 1);
        LM_DBG("[n_body]=%p\n", n_body);
        if(n_body) {
-               LM_DBG("[*n_body]=%.*s\n",n_body->len, n_body->s);
+               LM_DBG("[*n_body]=%.*s\n", n_body->len, n_body->s);
        }
-       if(n_body== NULL)
-       {
-               LM_ERR("while aggregating body\n");
+       if(n_body== NULL) {
+               LM_ERR("while aggregating body for: %.*s\n", pres_user->len, 
pres_user->s);
        }
 
        pkg_free(body);


_______________________________________________
sr-dev mailing list
[email protected]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Reply via email to