AST-2017-010: Fix cdr_object_update_party_b_userfield_cb() buf overrun

cdr_object_update_party_b_userfield_cb() could overrun the fixed buffer if the supplied string is too long. The long string could be supplied by external means using the CDR(userfield) function. This may seem reminiscent to AST-2017-001 (ASTERISK_26897) and it is. The earlier patch fixed the buffer overrun for Party A's userfield while this patch fixes the same thing for Party B's userfield. ASTERISK-27337 Change-Id: I0fa767f65ecec7e676ca465306ff9e0edbf3b652
8 years ago · 2b85799512
parent 4e8271c2a5
commit 2b85799512
1 changed files with 4 additions and 2 deletions
--- a/main/cdr.c
+++ b/main/cdr.c
@ -3384,7 +3384,8 @@ static int cdr_object_update_party_b_userfield_cb(void *obj, void *arg, void *da
 		ast_assert(cdr->party_b.snapshot
 			&& !strcasecmp(cdr->party_b.snapshot->name, info->channel_name));

-		strcpy(cdr->party_b.userfield, info->userfield);
+		ast_copy_string(cdr->party_b.userfield, info->userfield,
+			sizeof(cdr->party_b.userfield));
 	}

 	return 0;
@ -3407,7 +3408,8 @@ void ast_cdr_setuserfield(const char *channel_name, const char *userfield)
 			if (it_cdr->fn_table == &finalized_state_fn_table && it_cdr->next != NULL) {
 				continue;
 			}
-			ast_copy_string(it_cdr->party_a.userfield, userfield, AST_MAX_USER_FIELD);
+			ast_copy_string(it_cdr->party_a.userfield, userfield,
+				sizeof(it_cdr->party_a.userfield));
 		}
 		ao2_unlock(cdr);
 	}