[sr-dev] git:master:53c27ac3: app_mono: safety check beforing accessing field inside pointer

Daniel-Constantin Mierla miconda at gmail.com
Fri Dec 8 09:39:40 CET 2017 

Module: kamailio
Branch: master
Commit: 53c27ac3eb3e762110bd5cf54e55ddd85a7973a1
URL: https://github.com/kamailio/kamailio/commit/53c27ac3eb3e762110bd5cf54e55ddd85a7973a1

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-12-08T08:57:17+01:00

app_mono: safety check beforing accessing field inside pointer

- zero terminated allocated strings

---

Modified: src/modules/app_mono/app_mono_api.c

---

Diff:  https://github.com/kamailio/kamailio/commit/53c27ac3eb3e762110bd5cf54e55ddd85a7973a1.diff
Patch: https://github.com/kamailio/kamailio/commit/53c27ac3eb3e762110bd5cf54e55ddd85a7973a1.patch

---

diff --git a/src/modules/app_mono/app_mono_api.c b/src/modules/app_mono/app_mono_api.c
index 7bdfcb97a9..37ece204d2 100644
--- a/src/modules/app_mono/app_mono_api.c
+++ b/src/modules/app_mono/app_mono_api.c
@@ -136,7 +136,7 @@ int mono_sr_init_load(void)
 	}
 	mono_config_parse (NULL);
 	mi = _sr_mono_load_list;
-	if(mi->domain != NULL)
+	if(mi && mi->domain != NULL)
 	{
 		LM_ERR("worker mono environment already initialized\n");
 		return 0;
@@ -769,13 +769,14 @@ static int sr_mono_hdr_append (MonoString *hv)
 	}
 
 	hf = env_M->msg->last_header;
-	hdr = (char*)pkg_malloc(txt.len);
+	hdr = (char*)pkg_malloc(txt.len+1);
 	if(hdr==NULL)
 	{
 		LM_ERR("no pkg memory left\n");
 		goto error;
 	}
 	memcpy(hdr, txt.s, txt.len);
+	hdr[txt.len] = '\0';
 	anchor = anchor_lump(env_M->msg,
 				hf->name.s + hf->len - env_M->msg->buf, 0, 0);
 	if(insert_new_lump_before(anchor, hdr, txt.len, 0) == 0)
@@ -863,13 +864,14 @@ static int sr_mono_hdr_insert (MonoString *hv)
 
 	LM_DBG("insert hf: %s\n", txt.s);
 	hf = env_M->msg->headers;
-	hdr = (char*)pkg_malloc(txt.len);
+	hdr = (char*)pkg_malloc(txt.len+1);
 	if(hdr==NULL)
 	{
 		LM_ERR("no pkg memory left\n");
 		goto error;
 	}
 	memcpy(hdr, txt.s, txt.len);
+	hdr[txt.len] = '\0';
 	anchor = anchor_lump(env_M->msg,
 				hf->name.s + hf->len - env_M->msg->buf, 0, 0);
 	if(insert_new_lump_before(anchor, hdr, txt.len, 0) == 0)

More information about the sr-dev mailing list