git:master:441acf64: app_java: fix writing over the size of allocated buffer - sr-dev

19 Dec 2017

Module: kamailio
Branch: master
Commit: 441acf646fa9cf2fd1733f05397a43245b98d322
URL: https://github.com/kamailio/kamailio/commit/441acf646fa9cf2fd1733f05397a4324...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2017-12-19T10:07:26+01:00
app_java: fix writing over the size of allocated buffer
---
Modified: src/modules/app_java/java_iface.c
---
Diff:  https://github.com/kamailio/kamailio/commit/441acf646fa9cf2fd1733f05397a4324...
Patch: https://github.com/kamailio/kamailio/commit/441acf646fa9cf2fd1733f05397a4324...
---

diff --git a/src/modules/app_java/java_iface.c b/src/modules/app_java/java_iface.c
index 9d68711247..0535591055 100644
--- a/src/modules/app_java/java_iface.c
+++ b/src/modules/app_java/java_iface.c
@@ -120,6 +120,7 @@ int java_exec(struct sip_msg *msgp, int is_static, int is_synchronized,
    jclass cls;
    jmethodID invk_method, invk_method_ref;
    jvalue *jparam;
+	int r;
if(signature == NULL || !strcmp(signature, "")) {
    	LM_ERR("%s: java_method_exec(): signature is empty or invalid.\n",
@@ -149,14 +150,19 @@ int java_exec(struct sip_msg *msgp, int is_static, int is_synchronized,
cslen = strlen(signature) + 2 + 1
    		+ 1; // '(' + 'signature' + ')' + 'return signature' + null terminator
-	cs = (char *)pkg_malloc(cslen * sizeof(char));
+	cs = (char *)pkg_malloc((cslen+1) * sizeof(char));
    if(!cs) {
    	LM_ERR("%s: pkg_malloc() has failed. Can't allocate %lu bytes. Not "
    		   "enough memory!\n",
    			APP_NAME, (unsigned long)cslen);
    	return -1;
    }
-	snprintf(cs, cslen, "(%s)%s", signature, retval_sig);
+	r = snprintf(cs, cslen, "(%s)%s", signature, retval_sig);
+	if(r<0 || r>cslen) {
+		LM_ERR("building cs value failed\n");
+		pkg_free(cs);
+		return -1;
+	}
    cs[cslen] = '\0';
// attach to current thread

    