$NetBSD$

--- call.cpp.orig	2011-12-20 16:51:43.000000000 +0100
+++ call.cpp	2011-12-20 16:59:12.000000000 +0100
@@ -133,7 +133,14 @@
     char pattern[] = "c=IN IP4 ";
     char *begin, *end;
     char ip[32];
-    begin = strstr(msg, pattern);
+/* patch to counter CVE-2008-2085
+   based on patch published by Nico Golde ias in
+   http://people.debian.org/~nion/nmu-diff/sip-tester-2.0.1-1.1_2.0.1-1.2.patch
+*/
+
+    char *tmp = strdup(msg);
+    if(!tmp) return INADDR_NONE;
+    begin = strstr(tmp, pattern);
     if (!begin) {
       /* Can't find what we're looking at -> return no address */
       return INADDR_NONE;
@@ -142,8 +149,11 @@
     end = strstr(begin, "\r\n");
     if (!end)
       return INADDR_NONE;
+    *end = 0;
     memset(ip, 0, 32);
-    strncpy(ip, begin, end - begin);
+    strncpy(ip, begin, sizeof(ip) - 1);
+    ip[sizeof(ip) - 1] = 0;
+    free(tmp);
     return inet_addr(ip);
 }
 
@@ -156,11 +166,13 @@
     char pattern[] = "c=IN IP6 ";
     char *begin, *end;
     char ip[128];
+    char *tmp = strdup(msg);
 
     memset(addr, 0, sizeof(*addr));
     memset(ip, 0, 128);
 
-    begin = strstr(msg, pattern);
+    if(!tmp) return 0;
+    begin = strstr(tmp, pattern);
     if (!begin) {
       /* Can't find what we're looking at -> return no address */
       return 0;
@@ -169,7 +181,11 @@
     end = strstr(begin, "\r\n");
     if (!end)
       return 0;
-    strncpy(ip, begin, end - begin);
+
+    *end = 0;
+    strncpy(ip, begin, sizeof(ip) - 1);
+    ip[sizeof(ip) - 1] = 0;
+    free(tmp);
     if (!inet_pton(AF_INET6, ip, addr)) {
       return 0;
     }
@@ -196,7 +212,10 @@
 	ERROR("Internal error: Undefined media pattern %d\n", 3);
     }
 
-    begin = strstr(msg, pattern);
+    char *tmp = strdup(msg);
+
+    if(!tmp) return 0;
+    begin = strstr(tmp, pattern);
     if (!begin) {
       /* m=audio not found */
       return 0;
@@ -205,8 +224,11 @@
     end = strstr(begin, "\r\n");
     if (!end)
       ERROR("get_remote_port_media: no CRLF found");
+    *end = 0;
     memset(number, 0, sizeof(number));
     strncpy(number, begin, sizeof(number) - 1);
+    number[sizeof(number) - 1] = 0;
+    free(tmp);
     return atoi(number);
 }
 
