diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index cd9479a203de4a5e1276a4f99aafbc2e0466fccd..3e97e884b13f5376583920f96c170cc344705b8d 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -11626,9 +11626,28 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, int
 		*/
 		
 		/* Skip leading whitespace */
-		while(replace_id[0] && (replace_id[0] < 33))
-			memmove(replace_id, replace_id+1, strlen(replace_id));
+		replace_id = ast_skip_blanks(replace_id);
+
+		/* XXX there are several bugs in the code below,
+		 * because 'ptr' can be NULL so all the dereferences in strcasestr()
+		 * would cause panics.
+		 * I think we should do something like the code below, which also has
+		 * the advantage of not depending on the order of headers.
+		 * Please test if it works, and in case remove the block in #else / #endif
+		 */
+#if 1	/* proposed replacement */
 
+		start = replace_id;
+		while ( (ptr = strsep(&start, ";")) ) {
+			ptr = ast_skip_blanks(ptr); /* XXX maybe unnecessary ? */
+			if ( (to = strcasestr(ptr, "to-tag=") ) )
+				totag = to + 7;	/* skip the keyword */
+			else if ( (to = strcasestr(ptr, "from-tag=") ) ) {
+				fromtag = to + 9;	/* skip the keyword */
+				fromtag = strsep(&fromtag, "&"); /* trim what ? */
+			}
+		}
+#else	/* original code, buggy */
 		if ((ptr = strchr(replace_id, ';'))) {
 			*ptr = '\0';
 			ptr++;
@@ -11641,6 +11660,7 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, int
 			totag = ptr;
 			if ((to = strchr(ptr, ';')))
 				*to = '\0';
+			/* XXX this code is also wrong as to can be NULL */
 			to++;
 			ptr = to;
 		}
@@ -11654,6 +11674,7 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, int
 			if ((to = strchr(ptr, ';')))
 				*to = '\0';
 		}
+#endif
 
 		if (sipdebug && option_debug > 3) 
 			ast_log(LOG_DEBUG,"Invite/replaces: Will use Replace-Call-ID : %s Fromtag: %s Totag: %s\n", replace_id, fromtag ? fromtag : "<no from tag>", totag ? totag : "<no to tag>");