From 3355f6f6a4cca8d29afa8a5f9c2b499c9bd6795b Mon Sep 17 00:00:00 2001
From: Marcel Haldemann <marcel.haldemann@convercom.ch>
Date: Sat, 31 Jan 2026 14:09:28 +0100
Subject: [PATCH] [mod_amqp] implement dynamic mem alloc for longer messages to
 prevent buffer overflow

---
 .../mod_amqp/mod_amqp_command.c               | 32 +++++++++++++++++--
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/src/mod/event_handlers/mod_amqp/mod_amqp_command.c b/src/mod/event_handlers/mod_amqp/mod_amqp_command.c
index 48cdf55ce4e..35a3a689c68 100644
--- a/src/mod/event_handlers/mod_amqp/mod_amqp_command.c
+++ b/src/mod/event_handlers/mod_amqp/mod_amqp_command.c
@@ -387,7 +387,8 @@ void * SWITCH_THREAD_FUNC mod_amqp_command_thread(switch_thread_t *thread, void
 			amqp_rpc_reply_t res;
 			amqp_envelope_t envelope;
 			struct timeval timeout = {0};
-			char command[10240];
+			char *command = NULL;
+			char stack_buffer[10240];  // Pre-allocated stack buffer for typical cases
 			enum ECommandFormat {
 				COMMAND_FORMAT_UNKNOWN,
 				COMMAND_FORMAT_PLAINTEXT
@@ -469,9 +470,28 @@ void * SWITCH_THREAD_FUNC mod_amqp_command_thread(switch_thread_t *thread, void
 
 			if (commandFormat == COMMAND_FORMAT_PLAINTEXT) {
 				switch_stream_handle_t stream = { 0 }; /* Collects the command output */
+				size_t command_len = envelope.message.body.len + 1;  // +1 for null terminator
+
+				/* Use stack buffer by default, only allocate from heap if message is larger */
+				if (command_len > sizeof(stack_buffer)) {
+					command = malloc(command_len);
+					if (!command) {
+						switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, 
+						                 "Memory allocation failed for command of size %zu bytes\n", 
+						                 command_len);
+						amqp_destroy_envelope(&envelope);
+						continue;
+					}
+					switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_INFO, 
+					                 "Large AMQP command received: %zu bytes, using heap allocation\n", 
+					                 envelope.message.body.len);
+				} else {
+					/* Use stack buffer for typical case - zero allocation overhead */
+					command = stack_buffer;
+				}
 
-				/* Convert amqp bytes to c-string */
-				snprintf(command, sizeof(command), "%.*s", (int) envelope.message.body.len, (char *) envelope.message.body.bytes);
+				/* Convert amqp bytes to c-string with null termination */
+				snprintf(command, command_len, "%.*s", (int)(command_len - 1), (char *) envelope.message.body.bytes);
 
 				/* Execute the command */
 				switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_INFO, "Executing: %s\n", command);
@@ -491,6 +511,12 @@ void * SWITCH_THREAD_FUNC mod_amqp_command_thread(switch_thread_t *thread, void
 				switch_safe_free(stream.data);
 			}
 
+			/* Clean up - only free if we allocated from heap */
+			if (command != stack_buffer) {
+				free(command);
+			}
+			command = NULL;
+
 			/* Tidy up */
 			amqp_destroy_envelope(&envelope);
 		}