[asterisk-bugs] [Asterisk 0018161]: [patch] crashing func_curl hashcompat with invalid data

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Nov 15 01:44:42 CST 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=18161 
====================================================================== 
Reported By:                wdoekes
Assigned To:                tilghman
====================================================================== 
Project:                    Asterisk
Issue ID:                   18161
Category:                   Functions/func_curl
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     closed
Asterisk Version:           SVN 
JIRA:                       SWP-2465 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2 
SVN Revision (number only!): 292308 
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2010-10-19 04:21 CDT
Last Modified:              2010-11-15 01:44 CST
====================================================================== 
Summary:                    [patch] crashing func_curl hashcompat with invalid
data
Description: 
Hi,

if you use the func_curl hashcompat mode, the remote_side of the curl call
can crash asterisk in a couple of ways:

(1) Supply a large amount of data, just enough for the allocation(s) of
'ast_str str' to succeed (through curl_easy_perform/WriteMemoryCallback),
but too large for the fields = ast_str_create(..) and values =
ast_str_create(..).

When memory is full, _ast_str_create returns NULL, and then
ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name);
will crash in __ast_str_helper at:
int offset = (append && (*buf)->__AST_STR_LEN) ? (*buf)->__AST_STR_USED :
0;
.

(2) Supply '&&' in the data. This will cause:
  while ((piece = strsep(&remainder, "&"))) {
    char *name = strsep(&piece, "=");
name to be "", but piece to be NULL.
Then ast_uri_decode is called on piece and that function will happily
dereference NULL, causing a crash.


Marked as private, as it is trivial to crash an asterisk if it uses your
website to get data.


Regards,
Walter Doekes
====================================================================== 

---------------------------------------------------------------------- 
 (0128866) svnbot (reporter) - 2010-11-15 01:44
 https://issues.asterisk.org/view.php?id=18161#c128866 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 294989

_U  branches/1.8/
U   branches/1.8/funcs/func_curl.c

------------------------------------------------------------------------
r294989 | tilghman | 2010-11-15 01:44:41 -0600 (Mon, 15 Nov 2010) | 15
lines

Merged revisions 294988 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.6.2

........
  r294988 | tilghman | 2010-11-15 01:42:39 -0600 (Mon, 15 Nov 2010) | 8
lines
  
  It is possible to crash Asterisk by feeding the curl engine invalid
data.
  
  (closes issue https://issues.asterisk.org/view.php?id=18161)
   Reported by: wdoekes
   Patches: 
         20101029__issue18161.diff.txt uploaded by tilghman (license 14)
   Tested by: tilghman
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=294989 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-11-15 01:44 svnbot         Checkin                                      
2010-11-15 01:44 svnbot         Note Added: 0128866                          
======================================================================




More information about the asterisk-bugs mailing list