[sr-dev] git:master:5e098077: carrierroute: avoid ovverruning a fixed sized buffer

[Daniel-Constantin Mierla]

Module: kamailio
Branch: master
Commit: 5e098077525b2d06834a03f69ea246835af6f11c
URL: https://github.com/kamailio/kamailio/commit/5e098077525b2d06834a03f69ea246835af6f11c

Author: Claudiu Boriga <paul.boriga at 1and1.ro>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-08-01T10:36:01+02:00

carrierroute: avoid ovverruning a fixed sized buffer

---

Modified: src/modules/carrierroute/cr_fifo.c

---

Diff:  https://github.com/kamailio/kamailio/commit/5e098077525b2d06834a03f69ea246835af6f11c.diff
Patch: https://github.com/kamailio/kamailio/commit/5e098077525b2d06834a03f69ea246835af6f11c.patch

---

diff --git a/src/modules/carrierroute/cr_fifo.c b/src/modules/carrierroute/cr_fifo.c
index bab8bab41f..ff183e85f5 100644
--- a/src/modules/carrierroute/cr_fifo.c
+++ b/src/modules/carrierroute/cr_fifo.c
@@ -1074,14 +1074,19 @@ static int cr_rpc_dump_tree_recursor (rpc_t* rpc, void* ctx, void *gh,
 	char s[256];
 	char rbuf[1024];
 	char *p;
-	int i;
+	int i,len;
 	struct route_flags *rf;
 	struct route_rule *rr;
 	struct route_rule_p_list * rl;
 	double prob;
 
+	len=strlen(prefix);
+	if (len > 254) {
+		LM_ERR("prefix too large");
+		return -1;
+	}
 	strcpy (s, prefix);
-	p = s + strlen (s);
+	p = s + len;
 	p[1] = '\0';
 	for (i = 0; i < cr_match_mode; ++i) {
 		if (node->child[i] != NULL) {
@@ -1101,7 +1106,7 @@ static int cr_rpc_dump_tree_recursor (rpc_t* rpc, void* ctx, void *gh,
 			}
 			snprintf(rbuf, 1024,
 					"%10s: %0.3f %%, '%.*s': %s, '%i', '%.*s', '%.*s', '%.*s'",
-					strlen(prefix) > 0 ? prefix : "NULL", prob * 100,
+					len > 0 ? prefix : "NULL", prob * 100,
 					rr->host.len, rr->host.s,
 					(rr->status ? "ON" : "OFF"), rr->strip,
 					rr->local_prefix.len, rr->local_prefix.s,