[asterisk-bugs] [Asterisk 0011408]: Buffer overflow when maxmsg not used for IMAP storage users
noreply at bugs.digium.com
noreply at bugs.digium.com
Wed Nov 28 17:34:07 CST 2007
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=11408
======================================================================
Reported By: jaroth
Assigned To: putnopvut
======================================================================
Project: Asterisk
Issue ID: 11408
Category: Applications/app_voicemail
Reproducibility: random
Severity: crash
Priority: normal
Status: assigned
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!): 90000
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 11-28-2007 14:48 CST
Last Modified: 11-28-2007 17:34 CST
======================================================================
Summary: Buffer overflow when maxmsg not used for IMAP
storage users
Description:
When users do not have maxmsg set individually, or when maxmsg is not set,
memory allocation and deallocation of the "deleted" and "heard" arrays can
cause a crash. This patch uses MAXMSG to size these arrays when using
IMAP. This guarantees that the array will always be big enough to hold all
messages that might be accessed. This is even more important when using
IMAP quotas instead of message count to limit the number of messages in a
box, and when mailboxes can be accessed directly from an IMAP mail client.
======================================================================
----------------------------------------------------------------------
putnopvut - 11-28-07 17:34
----------------------------------------------------------------------
I think this is somewhat related to issue 11101, but I might be off. The
issue there is that more than 256 messages will cause a crash due to a
buffer overflow of the msgArray. The reason I see these as related is that
I think the patch I have provided may also fix this issue, too.
The main problem I have with maxmsg_imap.patch is that it doesn't actually
improve on what the code does for the case you have stated in the
description. The reason is that vmu->maxmsg will always be set to MAXMSG if
a maxmsg is not specified in voicemail.conf. The patch is problematic in
the case where a user *has* defined a maxmsg, especially if maxmsg is
greater than MAXMSG. Hard coding the allocation of the deleted array to
MAXMSG is error-prone since the msgArray parameter is sized at 256. This
means that you can only delete or hear the first 100 messages in a mailbox.
If you attempt to hear or delete any message beyond the 100th, you will
crash Asterisk since you will be accessing out-of-bounds memory.
Issue History
Date Modified Username Field Change
======================================================================
11-28-07 17:34 putnopvut Note Added: 0074528
======================================================================
More information about the asterisk-bugs
mailing list