[asterisk-bugs] [JIRA] (ASTERISK-22590) BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms

Jan Juergens (JIRA) noreply at issues.asterisk.org
Thu Sep 26 07:18:03 CDT 2013 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-22590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Juergens updated ASTERISK-22590:
------------------------------------

    Attachment: Handle16BitSmsWithOddLength.patch

The patch that addresses the issue.
                
> BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms
> --------------------------------------------------------------------------------
>
>                 Key: ASTERISK-22590
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22590
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Applications/app_sms
>    Affects Versions: SVN
>         Environment: Debian 7,1, Kernel 3.2.0-4-686-pae
>            Reporter: Jan Juergens
>            Severity: Critical
>         Attachments: Handle16BitSmsWithOddLength.patch
>
>
> In the current HEAD, a buffer overflow in app_sms.c prevents Asterisk from receiving 16 bit multipart SMS, as it runs in an endless loop over the array boundaries.
> The function unpacksms16() always expects an even number of bytes to be processed. If, however, the user data header contains an odd number of bytes, the second while-loop never terminates (l is never 0 in the while condition) and it keeps overwriting the boundaries of *i until Asterisk terminates with a SIGSEGFAULT. 
> The odd number of bytes are according to specification, though (http://www.etsi.org/deliver/etsi_ts%5C123000_123099%5C123040%5C11.05.00_60%5Cts_123040v110500p.pdf page 74). 
> The error has been reproduced by sending a multipart SMS with 16 bit encoding from Deutsche Telekom and Vodafone to a German landline number, which is handled by Asterisk.
> We have addressed this issue by creating a patch, which checks for an odd number of bytes and adds another byte in that case.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list