topology_hiding: fix encoded Contact length calculation

This leads to segfaults (and probable vulnerabilities) when the allocated buffer is not long enough to contain its contents. This bug was introduced in e23be5d presumably as a copy-and-paste mistake.
OpenSIPS · Dec 1, 2023 · ac1e2f3 · ac1e2f3
1 parent d832370
commit ac1e2f3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/modules/topology_hiding/topo_hiding_logic.c b/modules/topology_hiding/topo_hiding_logic.c
@@ -1618,7 +1618,7 @@ static char* build_encoded_contact_suffix(struct sip_msg* msg,int *suffix_len)
 					/* we just iterate over the unknown params */
 					for (i=0;i<ctu.u_params_no;i++) {
 						if (str_match(&el->param_name, &ctu.u_name[i]))
-							suffix_len += topo_ct_param_len(&ctu.u_name[i], &ctu.u_val[i], 0);
+							total_len += topo_ct_param_len(&ctu.u_name[i], &ctu.u_val[i], 0);
 					}
 				}
 			}
@@ -1634,7 +1634,7 @@ static char* build_encoded_contact_suffix(struct sip_msg* msg,int *suffix_len)
 			for (el=th_hdr_param_list;el;el=el->next) {
 				for (it=((contact_body_t *)msg->contact->parsed)->contacts->params;it;it=it->next) {
 					if (str_match(&el->param_name, &it->name))
-						suffix_len += topo_ct_param_len(&it->name, &it->body, 1);
+						total_len += topo_ct_param_len(&it->name, &it->body, 1);
 				}
 			}
 		}