git:master:0666abf8: uac: use snprintf() instead of sprintf() - sr-dev

18 Nov 2019

Module: kamailio
Branch: master
Commit: 0666abf851bc5916b7700a30077ee954f695b862
URL: https://github.com/kamailio/kamailio/commit/0666abf851bc5916b7700a30077ee954...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2019-11-18T18:05:50+01:00
uac: use snprintf() instead of sprintf()
---
Modified: src/modules/uac/replace.c
---
Diff:  https://github.com/kamailio/kamailio/commit/0666abf851bc5916b7700a30077ee954...
Patch: https://github.com/kamailio/kamailio/commit/0666abf851bc5916b7700a30077ee954...
---

diff --git a/src/modules/uac/replace.c b/src/modules/uac/replace.c
index 8da8fc7441..0b489144a7 100644
--- a/src/modules/uac/replace.c
+++ b/src/modules/uac/replace.c
@@ -568,6 +568,7 @@ int restore_uri( struct sip_msg *msg, str *rr_param, str* restore_avp,
    int i;
    int_str avp_value;
    int flag;
+	int bsize;
/* we should process only sequential request, but since we are looking
     * for Route param, the test is not really required -bogdan */
@@ -589,15 +590,20 @@ int restore_uri( struct sip_msg *msg, str *rr_param, str* restore_avp,
    	goto failed;
    }
-	add_to_rr.s = pkg_malloc(3+rr_param->len+param_val.len);
+	bsize = 3+rr_param->len+param_val.len;
+	add_to_rr.s = pkg_malloc(bsize);
    if ( add_to_rr.s==0 ) {
    	add_to_rr.len = 0;
    	LM_ERR("no more pkg mem\n");
    	goto failed;
    }
-	add_to_rr.len = sprintf(add_to_rr.s, ";%.*s=%.*s",
+	add_to_rr.len = snprintf(add_to_rr.s, bsize, ";%.*s=%.*s",
    		rr_param->len, rr_param->s, param_val.len, param_val.s);
+	if(add_to_rr.len<0 || add_to_rr.len>=bsize) {
+		LM_ERR("printing rr param failed\n");
+		goto failed;
+	}
    if ( uac_rrb.add_rr_param(msg, &add_to_rr)!=0 ) {
    	LM_ERR("add rr param failed\n");
    	goto failed;

    