Module: kamailio Branch: master Commit: 8cb61c86879802bf3f4eb5d60ee280d6003303c7 URL: https://github.com/kamailio/kamailio/commit/8cb61c86879802bf3f4eb5d60ee280d… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2019-11-18T18:05:50+01:00 nat_traversal: use snprintf() instead of sprintf() --- Modified: src/modules/nat_traversal/nat_traversal.c --- Diff: https://github.com/kamailio/kamailio/commit/8cb61c86879802bf3f4eb5d60ee280d… Patch: https://github.com/kamailio/kamailio/commit/8cb61c86879802bf3f4eb5d60ee280d… --- diff --git a/src/modules/nat_traversal/nat_traversal.c b/src/modules/nat_traversal/nat_traversal.c index 3ccb6720ec..4ad12674db 100644 --- a/src/modules/nat_traversal/nat_traversal.c +++ b/src/modules/nat_traversal/nat_traversal.c @@ -1479,7 +1479,7 @@ static int FixContact(struct sip_msg *msg) struct lump *anchor; struct sip_uri uri; int len, offset; - char *buf; + str buf; if(!get_contact_uri(msg, &uri, &contact)) return -1; @@ -1506,8 +1506,8 @@ static int FixContact(struct sip_msg *msg) // first try to alloc mem. if we fail we don't want to have the lump // deleted and not replaced. at least this way we keep the original. - buf = pkg_malloc(len); - if(buf == NULL) { + buf.s = pkg_malloc(len); + if(buf.s == NULL) { LM_ERR("out of memory\n"); return -1; } @@ -1517,26 +1517,30 @@ static int FixContact(struct sip_msg *msg) msg, offset, contact->uri.len, (enum _hdr_types_t)HDR_CONTACT_F); if(!anchor) { - pkg_free(buf); + pkg_free(buf.s); return -1; } if(msg->rcv.src_ip.af == AF_INET6) { - len = sprintf(buf, "%.*s[%s]:%d%.*s", before_host.len, before_host.s, + buf.len = snprintf(buf.s, len, "%.*s[%s]:%d%.*s", before_host.len, before_host.s, newip.s, newport, after.len, after.s); } else { - len = sprintf(buf, "%.*s%s:%d%.*s", before_host.len, before_host.s, + buf.len = snprintf(buf.s, len, "%.*s%s:%d%.*s", before_host.len, before_host.s, newip.s, newport, after.len, after.s); } + if(buf.len < 0 || buf.len>=len) { + pkg_free(buf.s); + return -1; + } - if(insert_new_lump_after(anchor, buf, len, (enum _hdr_types_t)HDR_CONTACT_F) + if(insert_new_lump_after(anchor, buf.s, buf.len, (enum _hdr_types_t)HDR_CONTACT_F) == 0) { - pkg_free(buf); + pkg_free(buf.s); return -1; } - contact->uri.s = buf; - contact->uri.len = len; + contact->uri.s = buf.s; + contact->uri.len = buf.len; return 1; }