[sr-dev] git:master:96d0b4ec: presence_xml: safety checks for pkg alloc and buffer size

[Daniel-Constantin Mierla]

Module: kamailio
Branch: master
Commit: 96d0b4ecff3cd680861bbc2ac02151a77cb05cae
URL: https://github.com/kamailio/kamailio/commit/96d0b4ecff3cd680861bbc2ac02151a77cb05cae

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2016-01-04T19:19:35+01:00

presence_xml: safety checks for pkg alloc and buffer size

---

Modified: modules/presence_xml/notify_body.c

---

Diff:  https://github.com/kamailio/kamailio/commit/96d0b4ecff3cd680861bbc2ac02151a77cb05cae.diff
Patch: https://github.com/kamailio/kamailio/commit/96d0b4ecff3cd680861bbc2ac02151a77cb05cae.patch

---

diff --git a/modules/presence_xml/notify_body.c b/modules/presence_xml/notify_body.c
index f10305c..bba3687 100644
--- a/modules/presence_xml/notify_body.c
+++ b/modules/presence_xml/notify_body.c
@@ -78,12 +78,31 @@ str* pres_agg_nbody_empty(str* pres_user, str* pres_domain)
 {
 	str* n_body= NULL;
 
+	str* body_array;
+	char* body;
+
 	LM_DBG("creating empty presence for [pres_user]=%.*s [pres_domain]= %.*s\n",
 			pres_user->len, pres_user->s, pres_domain->len, pres_domain->s);
 
-	str* body_array = (str*)pkg_malloc(sizeof(str));
-	char* body = (char*)pkg_malloc(PRESENCE_EMPTY_BODY_SIZE);
-	sprintf(body, PRESENCE_EMPTY_BODY, pres_user->len, pres_user->s);
+	if(pres_user->len+sizeof(PRESENCE_EMPTY_BODY)
+			>= PRESENCE_EMPTY_BODY_SIZE - 1) {
+		LM_ERR("insufficient buffer to add user (its len is: %d)\n",
+				pres_user->len);
+		return NULL;
+	}
+	body_array = (str*)pkg_malloc(sizeof(str));
+	if(body_array==NULL) {
+		LM_ERR("no more pkg\n");
+		return NULL;
+	}
+
+	body = (char*)pkg_malloc(PRESENCE_EMPTY_BODY_SIZE);
+	if(body_array==NULL) {
+		LM_ERR("no more pkg\n");
+		pkg_free(body_array);
+		return NULL;
+	}
+	snprintf(body, PRESENCE_EMPTY_BODY_SIZE, PRESENCE_EMPTY_BODY, pres_user->len, pres_user->s);
 	body_array->s = body;
 	body_array->len = strlen(body);
 
@@ -91,11 +110,10 @@ str* pres_agg_nbody_empty(str* pres_user, str* pres_domain)
 	n_body= agregate_xmls(pres_user, pres_domain, &body_array, 1);
 	LM_DBG("[n_body]=%p\n", n_body);
 	if(n_body) {
-		LM_DBG("[*n_body]=%.*s\n",n_body->len, n_body->s);
+		LM_DBG("[*n_body]=%.*s\n", n_body->len, n_body->s);
 	}
-	if(n_body== NULL)
-	{
-		LM_ERR("while aggregating body\n");
+	if(n_body== NULL) {
+		LM_ERR("while aggregating body for: %.*s\n", pres_user->len, pres_user->s);
 	}
 
 	pkg_free(body);