From a6823bb0c4f33dd19c11cd30f23650a194c2dbb7 Mon Sep 17 00:00:00 2001 From: Corey Farrell Date: Mon, 25 Jan 2016 12:03:21 -0500 Subject: [PATCH] chan_sip: Fix buffer overrun in sip_sipredirect. sip_sipredirect uses sscanf to copy up to 256 characters to a stacked buffer of 256 characters. This patch reduces the copy to 255 characters to leave room for the string null terminator. ASTERISK-25722 #close Change-Id: Id6c3a629a609e94153287512c59aa1923e8a03ab --- channels/chan_sip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/channels/chan_sip.c b/channels/chan_sip.c index c2df516e29..6844317407 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -32954,8 +32954,8 @@ static int sip_sipredirect(struct sip_pvt *p, const char *dest) memset(ldomain, 0, sizeof(ldomain)); local_to_header++; - /* This is okey because lhost and lport are as big as tmp */ - sscanf(local_to_header, "%256[^<>; ]", ldomain); + /* Will copy no more than 255 chars plus null terminator. */ + sscanf(local_to_header, "%255[^<>; ]", ldomain); if (ast_strlen_zero(ldomain)) { ast_log(LOG_ERROR, "Can't find the host address\n"); return 0;