This time the fix is proper for issue 12284. I have tested it thoroughly and found

that valgrind no longer complains and that calls do complete correctly.

The fix is along the same lines as before: Make sure the final null terminator gets copied
into the new sip_request's data pointer. Without it, parse_request will read and potentially
write past the end of the string, causing potential crashes.

(closes issue #12284...for real this time!)
reported by falves11



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@111811 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_sip.c

@@ -8305,12 +8305,18 @@ static void copy_request(struct sip_request *dst, const struct sip_request *src)
 	memcpy(dst, src, sizeof(*dst));
 	dst->data = dup;
 
-	if (!dst->data && !(dst->data = ast_str_create(src->data->used)))
+	/* All these + 1's are to account for the need to include the NULL terminator
+	 * Using typical string functions like ast_copy_string or ast_str_set will not
+	 * work in this case because the src's data string is riddled with \0's all over
+	 * the place and so a memcpy is the only way to accurately copy the string
+	 */
+
+	if (!dst->data && !(dst->data = ast_str_create(src->data->used + 1)))
 		return;
 	else if (dst->data->len < src->data->used)
-		ast_str_make_space(&dst->data, src->data->used);
+		ast_str_make_space(&dst->data, src->data->used + 1);
 		
-	memcpy(dst->data->str, src->data->str, src->data->used);
+	memcpy(dst->data->str, src->data->str, src->data->used + 1);
 	dst->data->used = src->data->used;
 	offset = ((void *)dst->data->str) - ((void *)src->data->str);
 	/* Now fix pointer arithmetic */