From dad0f5c89be779b3042f14b7684747de0126c5f7 Mon Sep 17 00:00:00 2001 From: Gitea Date: Mon, 10 Jul 2023 12:43:06 -0300 Subject: [PATCH] res_pjsip_header_funcs: Duplicate new header value, don't copy. When updating an existing header the 'update' code incorrectly just copied the new value into the existing buffer. If the new value exceeded the available buffer size memory outside of the buffer would be written into, potentially causing a crash. This change makes it so that the 'update' now duplicates the new header value instead of copying it into the existing buffer. --- res/res_pjsip_header_funcs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/res/res_pjsip_header_funcs.c b/res/res_pjsip_header_funcs.c index 6909a53b4e..3272d18c09 100644 --- a/res/res_pjsip_header_funcs.c +++ b/res/res_pjsip_header_funcs.c @@ -676,6 +676,7 @@ static int add_header(void *obj) static int update_header(void *obj) { struct header_data *data = obj; + pj_pool_t *pool = data->channel->session->inv_session->dlg->pool; pjsip_hdr *hdr = NULL; RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(data->channel->session, data->header_datastore->type), @@ -694,7 +695,7 @@ static int update_header(void *obj) return -1; } - pj_strcpy2(&((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value); + pj_strdup2(pool, &((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value); return 0; }