From bea603b7fa5ec14a472484e70afbcea3d9b4459c Mon Sep 17 00:00:00 2001 From: Nathan Neulinger Date: Tue, 5 Aug 2014 11:26:20 -0500 Subject: [PATCH] mod_skinny: fix potential overflow CID: 1060947 --- src/mod/endpoints/mod_skinny/mod_skinny.h | 2 ++ src/mod/endpoints/mod_skinny/skinny_server.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/src/mod/endpoints/mod_skinny/mod_skinny.h b/src/mod/endpoints/mod_skinny/mod_skinny.h index e3571dfe95..425710dae4 100644 --- a/src/mod/endpoints/mod_skinny/mod_skinny.h +++ b/src/mod/endpoints/mod_skinny/mod_skinny.h @@ -336,6 +336,8 @@ switch_endpoint_interface_t *skinny_get_endpoint_interface(); #define skinny_textid2raw(label) (label > 0 ? switch_mprintf("\200%c", label) : switch_mprintf("")) char *skinny_format_message(const char *str); +#define SKINNY_MAX_STRING 16384 + #endif /* _MOD_SKINNY_H */ /* For Emacs: diff --git a/src/mod/endpoints/mod_skinny/skinny_server.c b/src/mod/endpoints/mod_skinny/skinny_server.c index eae4954351..c1be92c3c4 100644 --- a/src/mod/endpoints/mod_skinny/skinny_server.c +++ b/src/mod/endpoints/mod_skinny/skinny_server.c @@ -1802,6 +1802,12 @@ switch_status_t skinny_handle_capabilities_response(listener_t *listener, skinny } i = 0; pos = 0; + + if ( string_len > SKINNY_MAX_STRING ) { + skinny_log_l_msg(listener, SWITCH_LOG_ERROR, "Codec string list too long.\n"); + return SWITCH_STATUS_FALSE; + } + codec_string = calloc(string_len+1,1); if ( !codec_string ) { skinny_log_l_msg(listener, SWITCH_LOG_ERROR, "Unable to allocate memory for codec string.\n");