[asterisk-bugs] [Asterisk 0018161]: [patch] crashing func_curl hashcompat with invalid data
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon Nov 15 01:44:42 CST 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=18161
======================================================================
Reported By: wdoekes
Assigned To: tilghman
======================================================================
Project: Asterisk
Issue ID: 18161
Category: Functions/func_curl
Reproducibility: always
Severity: crash
Priority: normal
Status: closed
Asterisk Version: SVN
JIRA: SWP-2465
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2
SVN Revision (number only!): 292308
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2010-10-19 04:21 CDT
Last Modified: 2010-11-15 01:44 CST
======================================================================
Summary: [patch] crashing func_curl hashcompat with invalid
data
Description:
Hi,
if you use the func_curl hashcompat mode, the remote_side of the curl call
can crash asterisk in a couple of ways:
(1) Supply a large amount of data, just enough for the allocation(s) of
'ast_str str' to succeed (through curl_easy_perform/WriteMemoryCallback),
but too large for the fields = ast_str_create(..) and values =
ast_str_create(..).
When memory is full, _ast_str_create returns NULL, and then
ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name);
will crash in __ast_str_helper at:
int offset = (append && (*buf)->__AST_STR_LEN) ? (*buf)->__AST_STR_USED :
0;
.
(2) Supply '&&' in the data. This will cause:
while ((piece = strsep(&remainder, "&"))) {
char *name = strsep(&piece, "=");
name to be "", but piece to be NULL.
Then ast_uri_decode is called on piece and that function will happily
dereference NULL, causing a crash.
Marked as private, as it is trivial to crash an asterisk if it uses your
website to get data.
Regards,
Walter Doekes
======================================================================
----------------------------------------------------------------------
(0128866) svnbot (reporter) - 2010-11-15 01:44
https://issues.asterisk.org/view.php?id=18161#c128866
----------------------------------------------------------------------
Repository: asterisk
Revision: 294989
_U branches/1.8/
U branches/1.8/funcs/func_curl.c
------------------------------------------------------------------------
r294989 | tilghman | 2010-11-15 01:44:41 -0600 (Mon, 15 Nov 2010) | 15
lines
Merged revisions 294988 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
........
r294988 | tilghman | 2010-11-15 01:42:39 -0600 (Mon, 15 Nov 2010) | 8
lines
It is possible to crash Asterisk by feeding the curl engine invalid
data.
(closes issue https://issues.asterisk.org/view.php?id=18161)
Reported by: wdoekes
Patches:
20101029__issue18161.diff.txt uploaded by tilghman (license 14)
Tested by: tilghman
........
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=294989
Issue History
Date Modified Username Field Change
======================================================================
2010-11-15 01:44 svnbot Checkin
2010-11-15 01:44 svnbot Note Added: 0128866
======================================================================
More information about the asterisk-bugs
mailing list