[Asterisk-bugs] [Asterisk 0010265]: socket_read() does not properly check for recvfrom() error

noreply at bugs.digium.com noreply at bugs.digium.com
Sun Jul 22 16:45:41 CDT 2007 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=10265 
====================================================================== 
Reported By:                timrobbins
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   10265
Category:                   Channels/chan_iax2
Reproducibility:            N/A
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:            SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 76329 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             07-21-2007 22:09 CDT
Last Modified:              07-22-2007 16:45 CDT
====================================================================== 
Summary:                    socket_read() does not properly check for recvfrom()
error
Description: 
socket_read() in chan_iax2.c stores the result of recvfrom() in a variable
with an unsigned type (size_t). It then attempts to check for errors by
testing for a negative value, but this cannot ever work.

It looks like this could be used to cause a crash: if another thread is
already processing a full frame for the same call as the one the current
thread last processed, defer_full_frame() will be called and will try to
make a copy of the current thread's receive buffer onto the heap. Due to
integer wraparound it will allocate sizeof(*pkt_buf) - 1 bytes and attempt
to copy SIZE_MAX bytes into that area.

In the other case (frame does not need to be deferred), socket_process()
will detect a "midget" frame.

Suggested fix is to store the result of recvfrom() in a variable of type
ssize_t until after the check for receive errors.

This bug was found with the Intel C/C++ Compiler version 10.0:
chan_iax2.c(6374): warning http://bugs.digium.com/view.php?id=186: pointless
comparison of unsigned integer
with zero
        if (thread->buf_len < 0) {

====================================================================== 

---------------------------------------------------------------------- 
 russell - 07-22-07 16:45  
---------------------------------------------------------------------- 
I am going to mark this as private as I work on verifying the extent of
this issue. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-22-07 16:45  russell        Note Added: 0067730                          
======================================================================

More information about the asterisk-bugs mailing list