git:master:8cb61c86: nat_traversal: use snprintf() instead of sprintf() - sr-dev

18 Nov 2019

Module: kamailio
Branch: master
Commit: 8cb61c86879802bf3f4eb5d60ee280d6003303c7
URL: https://github.com/kamailio/kamailio/commit/8cb61c86879802bf3f4eb5d60ee280d6...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2019-11-18T18:05:50+01:00
nat_traversal: use snprintf() instead of sprintf()
---
Modified: src/modules/nat_traversal/nat_traversal.c
---
Diff:  https://github.com/kamailio/kamailio/commit/8cb61c86879802bf3f4eb5d60ee280d6...
Patch: https://github.com/kamailio/kamailio/commit/8cb61c86879802bf3f4eb5d60ee280d6...
---

diff --git a/src/modules/nat_traversal/nat_traversal.c b/src/modules/nat_traversal/nat_traversal.c
index 3ccb6720ec..4ad12674db 100644
--- a/src/modules/nat_traversal/nat_traversal.c
+++ b/src/modules/nat_traversal/nat_traversal.c
@@ -1479,7 +1479,7 @@ static int FixContact(struct sip_msg *msg)
    struct lump *anchor;
    struct sip_uri uri;
    int len, offset;
-	char *buf;
+	str buf;
if(!get_contact_uri(msg, &uri, &contact))
    	return -1;
@@ -1506,8 +1506,8 @@ static int FixContact(struct sip_msg *msg)
// first try to alloc mem. if we fail we don't want to have the lump
    // deleted and not replaced. at least this way we keep the original.
-	buf = pkg_malloc(len);
-	if(buf == NULL) {
+	buf.s = pkg_malloc(len);
+	if(buf.s == NULL) {
    	LM_ERR("out of memory\n");
    	return -1;
    }
@@ -1517,26 +1517,30 @@ static int FixContact(struct sip_msg *msg)
    		msg, offset, contact->uri.len, (enum _hdr_types_t)HDR_CONTACT_F);
if(!anchor) {
-		pkg_free(buf);
+		pkg_free(buf.s);
    	return -1;
    }
if(msg->rcv.src_ip.af == AF_INET6) {
-		len = sprintf(buf, "%.*s[%s]:%d%.*s", before_host.len, before_host.s,
+		buf.len = snprintf(buf.s, len, "%.*s[%s]:%d%.*s", before_host.len, before_host.s,
    			newip.s, newport, after.len, after.s);
    } else {
-		len = sprintf(buf, "%.*s%s:%d%.*s", before_host.len, before_host.s,
+		buf.len = snprintf(buf.s, len, "%.*s%s:%d%.*s", before_host.len, before_host.s,
    			newip.s, newport, after.len, after.s);
    }
+	if(buf.len < 0 || buf.len>=len) {
+		pkg_free(buf.s);
+		return -1;
+	}
-	if(insert_new_lump_after(anchor, buf, len, (enum _hdr_types_t)HDR_CONTACT_F)
+	if(insert_new_lump_after(anchor, buf.s, buf.len, (enum _hdr_types_t)HDR_CONTACT_F)
    		== 0) {
-		pkg_free(buf);
+		pkg_free(buf.s);
    	return -1;
    }
-	contact->uri.s = buf;
-	contact->uri.len = len;
+	contact->uri.s = buf.s;
+	contact->uri.len = buf.len;
return 1;
 }

    