From 5a8b07dee24cbc8bc78da5eece13d207cfd2520f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Grisez?=
 <francois.grisez@belledonne-communications.com>
Date: Tue, 24 Jan 2017 16:20:40 +0100
Subject: [PATCH] Fix invalid read/write in _linphone_call_params_clone()

---
 coreapi/call_params.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/coreapi/call_params.c b/coreapi/call_params.c
index 2e10383aa..5eaa84592 100644
--- a/coreapi/call_params.c
+++ b/coreapi/call_params.c
@@ -340,11 +340,15 @@ static void _linphone_call_params_uninit(LinphoneCallParams *cp){
 static void _linphone_call_params_clone(LinphoneCallParams *dst, const LinphoneCallParams *src) {
 	unsigned int i;
 	
-	// WARNING: the structure is not copied entirely to avoid the belle_sip_object_t part to be corrupted.
-	memcpy(dst+sizeof(belle_sip_object_t),src+sizeof(belle_sip_object_t),sizeof(LinphoneCallParams)-sizeof(belle_sip_object_t));
+	/*
+	 * Save the belle_sip_object_t part, copy the entire structure and restore the belle_sip_object_t part
+	 */
+	belle_sip_object_t tmp = dst->base;
+	memcpy(dst, src, sizeof(LinphoneCallParams));
+	dst->base = tmp;
 	
 	if (src->record_file) dst->record_file=ms_strdup(src->record_file);
-	if (src->session_name) dst->session_name=ms_strdup(dst->session_name);
+	if (src->session_name) dst->session_name=ms_strdup(src->session_name);
 	/*
 	 * The management of the custom headers is not optimal. We copy everything while ref counting would be more efficient.
 	 */