Skip to content

F
freeswitch
提交 c1a3a280 authored 作者: Anthony Minessale II's avatar Anthony Minessale II
浏览文件
操作

Merge pull request #672 in FS/freeswitch from… 

Merge pull request #672 in FS/freeswitch from ~WT123/freeswitch:bugfix/FS-8757-fix-variable-and-header-expansion-buffer-overflow to v1.4

* commit '28da36e3':
  Buffer overflow in switch_channel_expand_variables_check and switch_event_expand_headers_check fixed (FS-8757)
上级 52583384 28da36e3
隐藏空白字符变更
内嵌 并排
正在显示 包含 32 行增加6 行删除
src/switch_channel.c
浏览文件 @ c1a3a280
...@@ -3825,6 +3825,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c ...@@ -3825,6 +3825,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
p++; p++;
continue; continue;
} else if (*(p + 1) == '\\') { } else if (*(p + 1) == '\\') {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p++; *c++ = *p++;
len++; len++;
continue; continue;
...@@ -3850,6 +3854,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c ...@@ -3850,6 +3854,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
} }
if (nv) { if (nv) {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
nv = 0; nv = 0;
...@@ -4045,11 +4053,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c ...@@ -4045,11 +4053,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
vname = NULL; vname = NULL;
br = 0; br = 0;
} }
if (len + 1 >= olen) {
resize(1);
}
if (sp) { if (sp) {
if (len + 1 >= olen) {
resize(1);
}
*c++ = ' '; *c++ = ' ';
sp = 0; sp = 0;
len++; len++;
...@@ -4058,6 +4067,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c ...@@ -4058,6 +4067,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
if (*p == '$') { if (*p == '$') {
p--; p--;
} else { } else {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
} }
......
src/switch_event.c
浏览文件 @ c1a3a280
...@@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event, ...@@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
p++; p++;
continue; continue;
} else if (*(p + 1) == '\\') { } else if (*(p + 1) == '\\') {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p++; *c++ = *p++;
len++; len++;
continue; continue;
...@@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event, ...@@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
} }
if (nv) { if (nv) {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
nv = 0; nv = 0;
...@@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event, ...@@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
vtype = 0; vtype = 0;
br = 0; br = 0;
} }
if (len + 1 >= olen) {
resize(1);
}
if (sp) { if (sp) {
if (len + 1 >= olen) {
resize(1);
}
*c++ = ' '; *c++ = ' ';
sp = 0; sp = 0;
len++; len++;
...@@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event, ...@@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
if (*p == '$') { if (*p == '$') {
p--; p--;
} else { } else {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
} }
......
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论