[asterisk-bugs] [JIRA] (ASTERISK-22590) BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms

Thu Sep 26 07:06:03 CDT 2013

Jan Juergens created ASTERISK-22590:
---------------------------------------

             Summary: BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms
                 Key: ASTERISK-22590
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22590
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Applications/app_sms
    Affects Versions: SVN
         Environment: Debian 7,1, Kernel 3.2.0-4-686-pae
            Reporter: Jan Juergens
            Severity: Critical

In the current HEAD, a buffer overflow in app_sms.c prevents Asterisk from receiving 16 bit multipart SMS, as it runs in an endless loop over the array boundaries.

The function unpacksms16() always expects an even number of bytes to be processed. If, however, the user data header contains an odd number of bytes, the second while-loop never terminates (l is never 0 in the while condition) and it keeps overwriting the boundaries of *i until Asterisk terminates with a SIGSEGFAULT. 
The odd number of bytes are according to specification, though (http://www.etsi.org/deliver/etsi_ts%5C123000_123099%5C123040%5C11.05.00_60%5Cts_123040v110500p.pdf page 74). 

The error has been reproduced by sending a multipart SMS with 16 bit encoding from Deutsche Telekom and Vodafone to a German landline number, which is handled by Asterisk.

We have addressed this issue by creating a patch, which checks for an odd number of bytes and adds another byte in that case.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira