[asterisk-bugs] [JIRA] (ASTERISK-21313) Chan skinny possible heap overflow attack
Martin Vit (JIRA)
noreply at issues.asterisk.org
Mon Mar 25 07:08:01 CDT 2013
Martin Vit created ASTERISK-21313:
-------------------------------------
Summary: Chan skinny possible heap overflow attack
Key: ASTERISK-21313
URL: https://issues.asterisk.org/jira/browse/ASTERISK-21313
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Channels/chan_skinny
Affects Versions: 11.0.2
Reporter: Martin Vit
Severity: Critical
function skinny_req_parse does memcpy:
memcpy(&req->data, s->inbuf+skinny_header_size, letohl(*bufaddr)-4);
where buffaddr is taken from 4 byte integeer directly from skinny packet. It seems that there is no check if this number is > req->data structure. Thus is someone will send malicious packet with big number it will overwrite heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list