From: Miklos Tirpak <miklos@iptel.org>
Date: Fri, 23 May 2008 10:13:46 +0000 (+0000)
Subject: check the '=' sign in the sdp line to be on the safe side
X-Git-Tag: sr_before_modules_merge~315
X-Git-Url: http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=commitdiff_plain;h=14b41ee3d966db3de7e531f3755860dd643fd65c

check the '=' sign in the sdp line to be on the safe side
---

diff --git a/select_core.c b/select_core.c
index e37d70bcf3..387d0e4cf3 100644
--- a/select_core.c
+++ b/select_core.c
@@ -496,6 +496,7 @@ int select_msg_body(str* res, select_t* s, struct sip_msg* msg)
 	return 0;	
 }
 
+/* returns the sdp part of the message body */
 int select_msg_body_sdp(str* res, select_t* sel, struct sip_msg* msg)
 {
 	/* try to get the body part with application/sdp */
@@ -508,6 +509,7 @@ int select_msg_body_sdp(str* res, select_t* sel, struct sip_msg* msg)
 		return -1;
 }
 
+/* returns the value of the requested SDP line */
 int select_sdp_line(str* res, select_t* sel, struct sip_msg* msg)
 {
 	int	len;
@@ -547,7 +549,13 @@ int select_sdp_line(str* res, select_t* sel, struct sip_msg* msg)
 	while (buf < buf_end) {
 		if (*buf == line) {
 			/* the requested SDP line is found, return its value */
-			buf += 2;
+			buf++;
+			if ((buf >= buf_end) || (*buf != '=')) {
+				ERR("wrong SDP line format\n");
+				return -1;
+			}
+			buf++;
+
 			line_end = buf;
 			while ((line_end < buf_end) && (*line_end != '\n'))
 				line_end++;