- dst_uri buffer overflow check, discovered in openser (the fix is slightly

 different due to slight changes in the append_branch function)
 Note: this is not such a big problem as it might sound, the only module
  using append_branch() with a non zero dst_uri is registrar and in this
 case it sets dst_uri to the received address which is always < 1024 (so it's
 always safe).

dset.c

@@ -157,6 +157,12 @@ int append_branch(struct sip_msg* msg, char* uri, int uri_len, char* dst_uri, in
 		    uri_len, uri);
 		return -1;
 	}
+	
+	if (dst_uri_len > MAX_URI_SIZE - 1) {
+		LOG(L_ERR, "ERROR: append_branch: too long dst_uri: %.*s\n",
+		    dst_uri_len, ZSW(dst_uri));
+		return -1;
+	}
 
 	     /* if not parameterized, take current uri */
 	if (uri == 0) {