[asterisk-bugs] [JIRA] (ASTERISK-22590) BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms
Jan Juergens (JIRA)
noreply at issues.asterisk.org
Thu Sep 26 07:18:03 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-22590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Juergens updated ASTERISK-22590:
------------------------------------
Attachment: Handle16BitSmsWithOddLength.patch
The patch that addresses the issue.
> BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms
> --------------------------------------------------------------------------------
>
> Key: ASTERISK-22590
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-22590
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Applications/app_sms
> Affects Versions: SVN
> Environment: Debian 7,1, Kernel 3.2.0-4-686-pae
> Reporter: Jan Juergens
> Severity: Critical
> Attachments: Handle16BitSmsWithOddLength.patch
>
>
> In the current HEAD, a buffer overflow in app_sms.c prevents Asterisk from receiving 16 bit multipart SMS, as it runs in an endless loop over the array boundaries.
> The function unpacksms16() always expects an even number of bytes to be processed. If, however, the user data header contains an odd number of bytes, the second while-loop never terminates (l is never 0 in the while condition) and it keeps overwriting the boundaries of *i until Asterisk terminates with a SIGSEGFAULT.
> The odd number of bytes are according to specification, though (http://www.etsi.org/deliver/etsi_ts%5C123000_123099%5C123040%5C11.05.00_60%5Cts_123040v110500p.pdf page 74).
> The error has been reproduced by sending a multipart SMS with 16 bit encoding from Deutsche Telekom and Vodafone to a German landline number, which is handled by Asterisk.
> We have addressed this issue by creating a patch, which checks for an odd number of bytes and adds another byte in that case.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list