[asterisk-bugs] [JIRA] (ASTERISK-26896) Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
twisted (JIRA)
noreply at issues.asterisk.org
Fri Mar 24 16:24:10 CDT 2017
twisted created ASTERISK-26896:
----------------------------------
Summary: Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
Key: ASTERISK-26896
URL: https://issues.asterisk.org/jira/browse/ASTERISK-26896
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: CEL/cel_pgsql
Affects Versions: 11.25.1, 13.15.0
Reporter: twisted
If you have more than 513 characters being passed as arguments into a CEL log request (such as the dial app with a large array of devices), the module attempts to pass the char* pointer along with a buffer that is only allocated 513 bytes. PQEscapeStringConn() expects an appropriately sized buffer, and thus overflows our buffer, causing a SIGABRT when glibc detects the stack smash has occurred.
I have a patch that will resize our escape buffer if our value passed exceeds the initial 513 bytes.
The data used in this instance was to Dial.
{code}Dial(SIP/2643&SIP/2393&SIP/2647&SIP/2997&SIP/2451Polycom&SIP/2400Polycom&SIP/2672&SIP/2366Polycom&SIP/2374&SIP/2405&SIP/2379&SIP/2338&SIP/2455&SIP/2355&SIP/2733&SIP/2531&SIP/2649&SIP/2365&SIP/2404&SIP/2447&SIP/2446&SIP/2541&SIP/2602Polycom&SIP/2387Polycom&SIP/2677&SIP/2735&SIP/2272&SIP/2526Polycom&SIP/2659&SIP/2514&SIP/2737Polycom&SIP/2675Polycom&SIP/2747&SIP/2293&SIP/2407&SIP/2553&SIP/2553Polycom&SIP/2566&SIP/2648&SIP/2422&SIP/2739&SIP/2758&SIP/2692&SIP/2537Polycom&SIP/2605&SIP/2413&SIP/2563&SIP/2204Polycom&SIP/2410Polycom&SIP/2289&SIP/2369&SIP/2445Polycom&SIP/2170Polycom&SIP/2420Polycom&SIP/2421Polycom&SIP/2391&SIP/2758Polycom&SIP/2700&SIP/2217&SIP/2454&SIP/2506,25,t){code}
Resulting in an ABRT with **stack smashing detected** pointing at cel_pgsql.c.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list