mgcp: NUL-terminate MGCP message
The MGCP message isn't always NUL-terminated when arriving at
mgcp_handle_message(). This may lead to undefined results.
This patch ensures that the message text is NUL-terminated by
setting *msg->tail to '\0' in mgcp_handle_message().
Addresses:
<000b> mgcp_protocol.c:642 Unhandled option: 'r'/114 on 0x3
<000b> mgcp_protocol.c:593 Unhandled SDP option: '='/61 on 0x3
<000b> mgcp_protocol.c:871 Unhandled option: '.'/46 on 0x2
Sponsored-by: On-Waves ehf
diff --git a/openbsc/src/libmgcp/mgcp_protocol.c b/openbsc/src/libmgcp/mgcp_protocol.c
index d4a23a7..645b8a7 100644
--- a/openbsc/src/libmgcp/mgcp_protocol.c
+++ b/openbsc/src/libmgcp/mgcp_protocol.c
@@ -261,12 +261,27 @@
int i, code, handled = 0;
struct msgb *resp = NULL;
char *data;
+ unsigned char *tail = msg->l2h + msgb_l2len(msg); /* char after l2 data */
if (msgb_l2len(msg) < 4) {
LOGP(DMGCP, LOGL_ERROR, "msg too short: %d\n", msg->len);
return NULL;
}
+ /* Ensure that the msg->l2h is NUL terminated. */
+ if (tail[-1] == '\0')
+ /* nothing to do */;
+ else if (msgb_tailroom(msg) > 0)
+ tail[0] = '\0';
+ else if (tail[-1] == '\r' || tail[-1] == '\n')
+ tail[-1] = '\0';
+ else {
+ LOGP(DMGCP, LOGL_ERROR, "Cannot NUL terminate MGCP message: "
+ "Length: %d, Buffer size: %d\n",
+ msgb_l2len(msg), msg->data_len);
+ return NULL;
+ }
+
/* attempt to treat it as a response */
if (sscanf((const char *)&msg->l2h[0], "%3d %*s", &code) == 1) {
LOGP(DMGCP, LOGL_DEBUG, "Response: Code: %d\n", code);
@@ -278,7 +293,6 @@
/*
* Check for a duplicate message and respond.
- * FIXME: Verify that the msg->l3h is NULL terminated.
*/
memset(&pdata, 0, sizeof(pdata));
pdata.cfg = cfg;