From 5daf32bb143493ac61f5257e54de423bd9e03986 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Fri, 16 Sep 2022 17:29:36 -0600 Subject: [PATCH] res_crypto: don't modify fname in try_load_key() "fname" is passed in as a const char *, but strstr() mangles that into a char *, and we were attempting to modify the string in place. This is an unwanted (and undocumented) side-effect. ASTERISK-30213 Change-Id: Ifa36d352aafeb7f9beec3f746332865c7d21e629 --- res/res_crypto.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/res/res_crypto.c b/res/res_crypto.c index 82014b6752..8d6c536d11 100644 --- a/res/res_crypto.c +++ b/res/res_crypto.c @@ -174,18 +174,20 @@ struct ast_key * AST_OPTIONAL_API_NAME(ast_key_get)(const char *kname, int ktype static struct ast_key *try_load_key(const char *dir, const char *fname, int ifd, int ofd, int *not2) { int ktype = 0, found = 0; - char *c = NULL, ffname[256]; + const char *c = NULL; + char ffname[256]; unsigned char digest[MD5_DIGEST_LENGTH]; unsigned digestlen; FILE *f; EVP_MD_CTX *ctx = NULL; struct ast_key *key; static int notice = 0; + size_t fnamelen = strlen(fname); /* Make sure its name is a public or private key */ - if ((c = strstr(fname, ".pub")) && !strcmp(c, ".pub")) { + if (fnamelen > 4 && !strcmp((c = &fname[fnamelen - 4]), ".pub")) { ktype = AST_KEY_PUBLIC; - } else if ((c = strstr(fname, ".key")) && !strcmp(c, ".key")) { + } else if (fnamelen > 4 && !strcmp((c = &fname[fnamelen - 4]), ".key")) { ktype = AST_KEY_PRIVATE; } else { return NULL; @@ -244,8 +246,6 @@ static struct ast_key *try_load_key(const char *dir, const char *fname, int ifd, } } - /* Make fname just be the normal name now */ - *c = '\0'; if (!key) { if (!(key = ast_calloc(1, sizeof(*key)))) { fclose(f); @@ -254,8 +254,8 @@ static struct ast_key *try_load_key(const char *dir, const char *fname, int ifd, } /* First the filename */ ast_copy_string(key->fn, ffname, sizeof(key->fn)); - /* Then the name */ - ast_copy_string(key->name, fname, sizeof(key->name)); + /* Then the name minus the suffix */ + snprintf(key->name, sizeof(key->name), "%.*s", (int)(c - fname), fname); key->ktype = ktype; /* Yes, assume we're going to be deleted */ key->delme = 1;