[asterisk-bugs] [JIRA] (ASTERISK-26896) Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT

Asterisk Team (JIRA) noreply at issues.asterisk.org
Fri Mar 24 16:24:10 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236125#comment-236125 ] 

Asterisk Team commented on ASTERISK-26896:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

> Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
> ------------------------------------------------------------------------
>
>                 Key: ASTERISK-26896
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26896
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: CEL/cel_pgsql
>    Affects Versions: 11.25.1, 13.15.0
>            Reporter: twisted
>
> If you have more than 513 characters being passed as arguments into a CEL log request (such as the dial app with a large array of devices), the module attempts to pass the char* pointer along with a buffer that is only allocated 513 bytes.  PQEscapeStringConn() expects an appropriately sized buffer, and thus overflows our buffer, causing a SIGABRT when glibc detects the stack smash has occurred.
> I have a patch that will resize our escape buffer if our value passed exceeds the initial 513 bytes.
> The data used in this instance was to Dial.
> {code}Dial(SIP/2643&SIP/2393&SIP/2647&SIP/2997&SIP/2451Polycom&SIP/2400Polycom&SIP/2672&SIP/2366Polycom&SIP/2374&SIP/2405&SIP/2379&SIP/2338&SIP/2455&SIP/2355&SIP/2733&SIP/2531&SIP/2649&SIP/2365&SIP/2404&SIP/2447&SIP/2446&SIP/2541&SIP/2602Polycom&SIP/2387Polycom&SIP/2677&SIP/2735&SIP/2272&SIP/2526Polycom&SIP/2659&SIP/2514&SIP/2737Polycom&SIP/2675Polycom&SIP/2747&SIP/2293&SIP/2407&SIP/2553&SIP/2553Polycom&SIP/2566&SIP/2648&SIP/2422&SIP/2739&SIP/2758&SIP/2692&SIP/2537Polycom&SIP/2605&SIP/2413&SIP/2563&SIP/2204Polycom&SIP/2410Polycom&SIP/2289&SIP/2369&SIP/2445Polycom&SIP/2170Polycom&SIP/2420Polycom&SIP/2421Polycom&SIP/2391&SIP/2758Polycom&SIP/2700&SIP/2217&SIP/2454&SIP/2506,25,t){code}
> Resulting in an ABRT with **stack smashing detected** pointing at cel_pgsql.c.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list