AST-2017-010: Fix cdr_object_update_party_b_userfield_cb() buf overrun

cdr_object_update_party_b_userfield_cb() could overrun the fixed buffer if the supplied string is too long. The long string could be supplied by external means using the CDR(userfield) function. This may seem reminiscent to AST-2017-001 (ASTERISK_26897) and it is. The earlier patch fixed the buffer overrun for Party A's userfield while this patch fixes the same thing for Party B's userfield. ASTERISK-27337 Change-Id: I0fa767f65ecec7e676ca465306ff9e0edbf3b652
8 years ago · b358e441cd
parent b7f64c30e2
commit b358e441cd
1 changed files with 4 additions and 2 deletions
--- a/main/cdr.c
+++ b/main/cdr.c
@ -3407,7 +3407,8 @@ static int cdr_object_update_party_b_userfield_cb(void *obj, void *arg, void *da
 		ast_assert(cdr->party_b.snapshot
 			&& !strcasecmp(cdr->party_b.snapshot->name, info->channel_name));

-		strcpy(cdr->party_b.userfield, info->userfield);
+		ast_copy_string(cdr->party_b.userfield, info->userfield,
+			sizeof(cdr->party_b.userfield));
 	}

 	return 0;
@ -3430,7 +3431,8 @@ void ast_cdr_setuserfield(const char *channel_name, const char *userfield)
 			if (it_cdr->fn_table == &finalized_state_fn_table && it_cdr->next != NULL) {
 				continue;
 			}
-			ast_copy_string(it_cdr->party_a.userfield, userfield, AST_MAX_USER_FIELD);
+			ast_copy_string(it_cdr->party_a.userfield, userfield,
+				sizeof(it_cdr->party_a.userfield));
 		}
 		ao2_unlock(cdr);
 	}