[asterisk-bugs] [JIRA] Closed: (ASTERISK-17959) Buffer overflow in custom_prepare
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Wed Sep 5 08:33:07 CDT 2012
[ https://issues.asterisk.org/jira/browse/ASTERISK-17959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan closed ASTERISK-17959.
----------------------------------
Resolution: Fixed
Fixed in ASTERISK-16123
> Buffer overflow in custom_prepare
> ---------------------------------
>
> Key: ASTERISK-17959
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-17959
> Project: Asterisk
> Issue Type: Bug
> Components: Resources/res_config_odbc
> Affects Versions: 1.8.4
> Reporter: Mikael Carlsson
> Severity: Critical
> Attachments: bt_full.txt
>
>
> If writing to realtime when using odbc asterisk crash when there are a ';' in the data.
> ****** ADDITIONAL INFORMATION ******
> I am stretching this a bit, but I am testing 17682, astdb over realtime. When I used res_mysql it worked perfectly, but when I switched to odbc Asterisk crashed as soon as a SIP phone registered.
> I traced it to what I believe is a buffer overflow in res_condfig_odbc.c, and that is that *data is copied to *cps in struct custom_prepare_struct *cps = data;
> Later in the code if there is a ';' in the *data it is changed to ^3B. And that adds two more bytes to the data buffer. Later in the code the use of ast_string_field_set(cps, encoding[x], encodebuf); sets the added buffer back to cps causing an overflow and asterisk crashes.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list