[asterisk-bugs] [Asterisk 0018161]: [patch] crashing func_curl hashcompat with invalid data
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Mar 1 01:18:34 CST 2011
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=18161
======================================================================
Reported By: wdoekes
Assigned To: tilghman
======================================================================
Project: Asterisk
Issue ID: 18161
Category: Functions/func_curl
Reproducibility: always
Severity: crash
Priority: normal
Status: assigned
Asterisk Version: SVN
JIRA: SWP-2465
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2
SVN Revision (number only!): 292308
Request Review:
======================================================================
Date Submitted: 2010-10-19 04:21 CDT
Last Modified: 2011-03-01 01:18 CST
======================================================================
Summary: [patch] crashing func_curl hashcompat with invalid
data
Description:
Hi,
if you use the func_curl hashcompat mode, the remote_side of the curl call
can crash asterisk in a couple of ways:
(1) Supply a large amount of data, just enough for the allocation(s) of
'ast_str str' to succeed (through curl_easy_perform/WriteMemoryCallback),
but too large for the fields = ast_str_create(..) and values =
ast_str_create(..).
When memory is full, _ast_str_create returns NULL, and then
ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name);
will crash in __ast_str_helper at:
int offset = (append && (*buf)->__AST_STR_LEN) ? (*buf)->__AST_STR_USED :
0;
.
(2) Supply '&&' in the data. This will cause:
while ((piece = strsep(&remainder, "&"))) {
char *name = strsep(&piece, "=");
name to be "", but piece to be NULL.
Then ast_uri_decode is called on piece and that function will happily
dereference NULL, causing a crash.
Marked as private, as it is trivial to crash an asterisk if it uses your
website to get data.
Regards,
Walter Doekes
======================================================================
----------------------------------------------------------------------
(0132474) wdoekes (reporter) - 2011-03-01 01:18
https://issues.asterisk.org/view.php?id=18161#c132474
----------------------------------------------------------------------
Well.. the regular case would be when we call it. The only time we wouldn't
call it would be if (piece[0] == '\0').
Imagine a document with lots of properly formatted key value pairs: we
don't need to do the extra if for every iteration, we only need it for
invalid data. And, if you put the if there, you implicitly have *two*
checks for piece being NULL, because the second if was really only needed
when piece was NULL originally.
But if you do like the if, we could've went with (parts of) my original
patch, and put the whole assigment stuff in the if (piece != NULL) {}
block.
Issue History
Date Modified Username Field Change
======================================================================
2011-03-01 01:18 wdoekes Note Added: 0132474
======================================================================
More information about the asterisk-bugs
mailing list