[asterisk-bugs] [Asterisk 0018161]: [patch] crashing func_curl hashcompat with invalid data
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Mar 3 03:52:00 CST 2011
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=18161
======================================================================
Reported By: wdoekes
Assigned To: tilghman
======================================================================
Project: Asterisk
Issue ID: 18161
Category: Functions/func_curl
Reproducibility: always
Severity: crash
Priority: normal
Status: ready for testing
Asterisk Version: SVN
JIRA: SWP-2465
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2
SVN Revision (number only!): 292308
Request Review:
======================================================================
Date Submitted: 2010-10-19 04:21 CDT
Last Modified: 2011-03-03 03:51 CST
======================================================================
Summary: [patch] crashing func_curl hashcompat with invalid
data
Description:
Hi,
if you use the func_curl hashcompat mode, the remote_side of the curl call
can crash asterisk in a couple of ways:
(1) Supply a large amount of data, just enough for the allocation(s) of
'ast_str str' to succeed (through curl_easy_perform/WriteMemoryCallback),
but too large for the fields = ast_str_create(..) and values =
ast_str_create(..).
When memory is full, _ast_str_create returns NULL, and then
ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name);
will crash in __ast_str_helper at:
int offset = (append && (*buf)->__AST_STR_LEN) ? (*buf)->__AST_STR_USED :
0;
.
(2) Supply '&&' in the data. This will cause:
while ((piece = strsep(&remainder, "&"))) {
char *name = strsep(&piece, "=");
name to be "", but piece to be NULL.
Then ast_uri_decode is called on piece and that function will happily
dereference NULL, causing a crash.
Marked as private, as it is trivial to crash an asterisk if it uses your
website to get data.
Regards,
Walter Doekes
======================================================================
----------------------------------------------------------------------
(0132563) wdoekes (reporter) - 2011-03-03 03:51
https://issues.asterisk.org/view.php?id=18161#c132563
----------------------------------------------------------------------
20110301__issue18161.diff.txt works for me. You still get the double-if (a
triple-if if combined with https://issues.asterisk.org/view.php?id=18046 even),
but I can live with that.
Issue History
Date Modified Username Field Change
======================================================================
2011-03-03 03:51 wdoekes Note Added: 0132563
======================================================================
More information about the asterisk-bugs
mailing list