imc: reserve last char in global buffer for ending zero
authorDaniel-Constantin Mierla <miconda@gmail.com>
Tue, 12 May 2020 16:01:15 +0000 (18:01 +0200)
committerDaniel-Constantin Mierla <miconda@gmail.com>
Tue, 12 May 2020 16:01:15 +0000 (18:01 +0200)
src/modules/imc/imc_cmd.c

index 757b17b..bf68967 100644 (file)
@@ -960,7 +960,8 @@ int imc_handle_members(struct sip_msg* msg, imc_cmd_t *cmd,
        }
 
        p = imc_body_buf;
-       left = sizeof(imc_body_buf);
+       imc_body_buf[IMC_BUF_SIZE - 1] = '\0';
+       left = sizeof(imc_body_buf) - 1;
 
        memcpy(p, MEMBERS, sizeof(MEMBERS) - 1);
        p += sizeof(MEMBERS) - 1;
@@ -975,22 +976,22 @@ int imc_handle_members(struct sip_msg* msg, imc_cmd_t *cmd,
                }
 
                if (imp->flags & IMC_MEMBER_OWNER) {
-                       if (left < 1) goto overrun;
+                       if (left < 2) goto overrun;
                        *p++ = '*';
                        left--;
                } else if (imp->flags & IMC_MEMBER_ADMIN) {
-                       if (left < 1) goto overrun;
+                       if (left < 2) goto overrun;
                        *p++ = '~';
                        left--;
                }
 
                name = format_uri(imp->uri);
-               if (left < name->len) goto overrun;
+               if (left < name->len + 1) goto overrun;
                strncpy(p, name->s, name->len);
                p += name->len;
                left -= name->len;
 
-               if (left < 1) goto overrun;
+               if (left < 2) goto overrun;
                *p++ = '\n';
                left--;