From 226d6308fe517f4492247f0ad72e87609c462a3c Mon Sep 17 00:00:00 2001
From: Martin Vit <martin@voipmonito.org>
Date: Sat, 5 Feb 2011 21:58:59 +0000
Subject: [PATCH] try to fix called column which was terminated with NULL
 instead of '\0' which was causing overflowing this value

---
 sniff.cpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/sniff.cpp b/sniff.cpp
index b4bc47e35..0f3913bac 100644
--- a/sniff.cpp
+++ b/sniff.cpp
@@ -96,6 +96,9 @@ char * gettag(const void *ptr, unsigned long len, const char *tag, unsigned long
 int get_sip_peercnam(char *data, int data_len, char *tag, char *peername, int peername_len){
 	unsigned long r, r2, peername_tag_len;
 	char *peername_tag = gettag(data, data_len, tag, &peername_tag_len);
+	if(!peername_tag_len) {
+		goto fail_exit;
+	}
 	if ((r = (unsigned long)memmem(peername_tag, peername_tag_len, "\"", 1)) == 0){
 		goto fail_exit;
 	}
@@ -103,11 +106,11 @@ int get_sip_peercnam(char *data, int data_len, char *tag, char *peername, int pe
 	if ((r2 = (unsigned long)memmem(peername_tag, peername_tag_len, "\" <", 3)) == 0){
 		goto fail_exit;
 	}
-	if (r2 <= r){
+	if (r2 <= r || ((r2 - r) > peername_len) ){
 		goto fail_exit;
 	}
 	memcpy(peername, (void*)r, r2 - r);
-	memset(peername + (r2 - r), 0, 1);
+	peername[r2 - r] = '\0';
 	return 0;
 fail_exit:
 	strcpy(peername, "empty");
@@ -118,6 +121,9 @@ int get_sip_peercnam(char *data, int data_len, char *tag, char *peername, int pe
 int get_sip_peername(char *data, int data_len, char *tag, char *peername, int peername_len){
 	unsigned long r, r2, peername_tag_len;
 	char *peername_tag = gettag(data, data_len, tag, &peername_tag_len);
+	if(!peername_tag_len) {
+		goto fail_exit;
+	}
 	if ((r = (unsigned long)memmem(peername_tag, peername_tag_len, "sip:", 4)) == 0){
 		goto fail_exit;
 	}
@@ -125,11 +131,11 @@ int get_sip_peername(char *data, int data_len, char *tag, char *peername, int pe
 	if ((r2 = (unsigned long)memmem(peername_tag, peername_tag_len, "@", 1)) == 0){
 		goto fail_exit;
 	}
-	if (r2 <= r){
+	if (r2 <= r || ((r2 - r) > peername_len)  ){
 		goto fail_exit;
 	}
 	memcpy(peername, (void*)r, r2 - r);
-	memset(peername + (r2 - r), 0, 1);
+	peername[r2 - r] = '\0';
 	return 0;
 fail_exit:
 	strcpy(peername, "empty");