Module: kamailio Branch: master Commit: 25f2180999dafb807068313c4a329a163dd99f92 URL: https://github.com/kamailio/kamailio/commit/25f2180999dafb807068313c4a329a1… Author: codyherzog <cherzog(a)intouchhealth.com> Committer: codyherzog <cherzog(a)intouchhealth.com> Date: 2017-08-07T12:46:27-07:00 textops: Fix 'offset exceeds message size' crash. Ensure that buffer is null terminated when subst_run() function is used. --- Modified: src/modules/textops/textops.c --- Diff: https://github.com/kamailio/kamailio/commit/25f2180999dafb807068313c4a329a1… Patch: https://github.com/kamailio/kamailio/commit/25f2180999dafb807068313c4a329a1… --- diff --git a/src/modules/textops/textops.c b/src/modules/textops/textops.c index 5048fbae5d..655f638154 100644 --- a/src/modules/textops/textops.c +++ b/src/modules/textops/textops.c @@ -682,12 +682,19 @@ static int subst_helper_f(sip_msg_t* msg, struct subst_expr* se) int off; int ret; int nmatches; + char c; begin=get_header(msg); /* start after first line to avoid replacing * the uri */ off=begin-msg->buf; ret=-1; - if ((lst=subst_run(se, begin, msg, &nmatches))==0) + + c = msg->buf[msg->len]; + msg->buf[msg->len] = '\0'; + lst=subst_run(se, begin, msg, &nmatches); + msg->buf[msg->len] = c; + + if (lst==0) goto error; /* not found */ for (rpl=lst; rpl; rpl=rpl->next){ LM_DBG("%s: replacing at offset %d [%.*s] with [%.*s]\n", @@ -826,6 +833,7 @@ static int subst_body_helper_f(struct sip_msg* msg, struct subst_expr* se) int ret; int nmatches; str body; + char c; body.s = get_body(msg); if (body.s==0) { @@ -842,7 +850,13 @@ static int subst_body_helper_f(struct sip_msg* msg, struct subst_expr* se) off=begin-msg->buf; ret=-1; - if ((lst=subst_run(se, begin, msg, &nmatches))==0) + + c = body.s[body.len]; + body.s[body.len] = '\0'; + lst=subst_run(se, begin, msg, &nmatches); + body.s[body.len] = c; + + if (lst==0) goto error; /* not found */ for (rpl=lst; rpl; rpl=rpl->next){ LM_DBG("%s replacing at offset %d [%.*s] with [%.*s]\n",